734700x800000000000000014033372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.957{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014033345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.955{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014033325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.954{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014033295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.702{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014033269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.696{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014033251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.837{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 734700x800000000000000014033246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.694{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 11241100x800000000000000014033224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.824{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA272021-09-29 18:56:29.824 11241100x800000000000000014033222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.824{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA272021-09-29 18:56:29.824 734700x800000000000000014033216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.679{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014033187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.670{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 734700x800000000000000014033165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.665{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014033135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.663{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014033108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.662{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014033061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.762{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6trueMicrosoft WindowsValid 734700x800000000000000014033060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.761{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid 734700x800000000000000014033059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.761{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValid 13241300x800000000000000014033056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.757{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014033055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.757{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014033054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.757{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014033053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.757{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014033052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.757{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014033051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.757{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014033050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.755{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014033049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.755{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014033048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.755{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014033047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.755{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014033046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.755{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014033045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.755{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014033044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014033043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014033042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014033041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014033040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014033039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014033038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014033037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014033036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.753{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014033035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.753{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014033034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.752{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014033033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.752{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014033032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.734{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014033031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.734{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014033028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.719{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014033027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.719{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014033026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.719{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.719{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.719{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.719{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.718{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.718{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.718{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.716{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014033018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.716{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014033017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.714{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014033016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.714{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014033015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.714{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014033013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014033012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014033011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014033010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014033009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014033008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014033007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014033006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014033005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014033004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.711{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014033003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.711{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014033002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.711{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000014033001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.711{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 12241200x800000000000000014033000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.711{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014032999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.710{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000014032998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.710{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014032997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.709{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014032996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.709{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014032995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.709{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014032994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.708{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014032993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.702{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014032992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.702{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014032991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.698{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014032990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.697{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014032989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.697{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014032988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.697{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014032987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.697{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014032986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.675{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014032985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.674{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014032984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.674{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014032983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.674{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014032982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.674{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014032981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.673{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014032980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.671{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014032979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.671{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014032978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.670{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 12241200x800000000000000014032977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.669{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014032976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.668{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014032975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.668{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014032974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.668{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014032973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.667{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014032972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.665{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014032971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.665{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014032970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.665{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014032969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.650{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014032968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.644{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014032967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.643{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014032966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.642{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014032956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.636{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014032955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.635{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014032954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.635{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014032952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.633{8B6011A9-51ED-6143-1600-00000000F001}13247708C:\Windows\System32\svchost.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014032951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.633{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014032949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.632{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014032942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.632{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014032919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.628{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000014032913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.627{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014032912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.627{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014032911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.627{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014032910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.626{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014032909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.626{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014032907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.625{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014032906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.625{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014032905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.625{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014032889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.624{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014032880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.624{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014032878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.624{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014032837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.611{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014032836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.611{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014032835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.611{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014032834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.610{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014032833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.609{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014032832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.609{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014032823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.601{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 13241300x800000000000000014032815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.598{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b563-0xb652b5ad) 734700x800000000000000014032810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.586{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 13241300x800000000000000014032777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.588{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList\a{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exe 13241300x800000000000000014032774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.587{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7E6AC0D5-FA09-4FAD-95E2-42C58DFAC111}\AppId{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exe 10341000x800000000000000014032766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.584{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014032765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.584{8B6011A9-EF7D-6151-C8C2-01000000F001}86488956C:\Windows\explorer.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014032764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.579{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 13241300x800000000000000014032753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.567{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\WScript.exe.ApplicationCompanyMicrosoft Corporation 13241300x800000000000000014032752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.567{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\WScript.exe.FriendlyAppNameMicrosoft ® Windows Based Script Host 734700x800000000000000014035156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.527{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014035131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.526{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 734700x800000000000000014035103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.511{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 13241300x800000000000000014035084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.984{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM\Log File Max Size65536 12241200x800000000000000014035083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.983{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014035082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.983{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014035074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.496{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014035047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.494{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014035021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.490{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014034992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.480{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014034966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.480{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 734700x800000000000000014034943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.478{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x800000000000000014034918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.477{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014034893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.477{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014034866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.477{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014034839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.476{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014034815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.468{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014034788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.466{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014034765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.466{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014034736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.466{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014034712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.466{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014034685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.464{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014034659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.449{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014034630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.442{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014034605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.442{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014034583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.441{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014034556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.441{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014034532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.441{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014034507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.440{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014034484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.440{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014034456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.439{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014034431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.437{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014034405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.434{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 734700x800000000000000014034377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.432{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014034352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.431{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014034327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.428{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014034302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.427{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014034278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.427{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014034247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.427{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014034228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.426{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014034200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.425{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014034173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.412{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014034147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.409{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014034121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.408{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014034095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.408{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014034071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.408{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 13241300x800000000000000014034066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.534{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014034061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.534{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014034056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.534{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014034051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.534{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x800000000000000014034048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014034047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014034046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014034045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014034044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014034043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014034042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014034041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014034040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014034039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014034038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014034037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014034036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.530{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014034030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.408{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014034007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.407{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014033980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.407{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 12241200x800000000000000014033961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.511{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014033953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.407{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014033927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.406{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 12241200x800000000000000014033909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.494{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.493{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.493{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.493{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.493{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.493{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.493{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014033901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.406{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 12241200x800000000000000014033898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.490{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014033871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.406{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 13241300x800000000000000014033851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.484{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014033850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.484{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014033849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.483{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000014033847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.405{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 13241300x800000000000000014033822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014033821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014033820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014033819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014033818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014033817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014033816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014033815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.480{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014033814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.480{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014033813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.480{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014033812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.480{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014033811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.478{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014033810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.478{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014033803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.405{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 10341000x800000000000000014033797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.474{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014033793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.474{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014033781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.469{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014033777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.405{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014033751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.404{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014033729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.403{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014033696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.402{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014033680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.401{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014033679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.403{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 12241200x800000000000000014033655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.432{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014033649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.400{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014033629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.427{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014033623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.400{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014033594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.399{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014033587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.419{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014033577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.419{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014033576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.416{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014033575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.416{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014033574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.415{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014033573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.415{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014033572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.415{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014033571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.414{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014033570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.414{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014033569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.414{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014033568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.410{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014033567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.410{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014033566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.409{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 534500x800000000000000014033564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.406{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exe 734700x800000000000000014033556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.399{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 734700x800000000000000014033538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.401{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014033537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.401{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014033536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.401{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014033533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.399{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000014033532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.398{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014033531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.396{8B6011A9-B6DD-6154-C516-02000000F001}37006448C:\Windows\System32\WScript.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014033530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.393{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014033525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.386{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014033502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.384{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014033501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.379{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014033416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.250{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014033415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.240{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014033408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.229{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014033391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.237{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014033388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.235{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014033387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.234{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014033386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.233{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014033385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.233{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 22542200x800000000000000014035901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:46.853{8B6011A9-B6DE-6154-C716-02000000F001}4640paste.ee0::ffff:104.26.4.223;::ffff:104.26.5.223;::ffff:172.67.68.88;C:\Windows\SysWOW64\wscript.exe 734700x800000000000000014035897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.175{8B6011A9-B6DF-6154-C816-02000000F001}9136C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014035896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.180{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014035782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:31.176{8B6011A9-B6DF-6154-C816-02000000F001}9136C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014035714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.107{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000014035685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.094{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 734700x800000000000000014035656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.079{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014035595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.062{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msdart.dll10.0.14393.0 (rs1_release.160715-1616)OLE DB Runtime RoutinesMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdart.dllMD5=EE819BD4AC9B986F13574CD7F1384913,SHA256=E9997360FFACB4DDB4E9E5F6AFDCCDACF1FAACF2CC38A96108700183C27BA194trueMicrosoft WindowsValid 10341000x800000000000000014035571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.099{8B6011A9-B6DE-6154-C716-02000000F001}46408096C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B6DF-6154-C816-02000000F001}9136C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014035570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.099{8B6011A9-B6DF-6154-C816-02000000F001}9136C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014035565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.058{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Program Files (x86)\Common Files\System\ado\msado15.dll10.0.14393.4169 (rs1_release.210107-1130)ActiveX Data ObjectsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsado15.dllMD5=0773E3F6B080C8BAB1C694136D9AB923,SHA256=4DAC725E8DD3700DB8474A6F9DD40A2DBF0472AEE01827E16EA88808FB3E6924trueMicrosoft WindowsValid 12241200x800000000000000014035544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:31.092{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014035541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.013{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 12241200x800000000000000014035516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:31.080{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014035515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:31.080{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014035507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.996{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014035482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.991{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014035461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.065{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 11241100x800000000000000014035460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.063{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll2021-09-29 18:56:31.063 734700x800000000000000014035452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.987{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 734700x800000000000000014035424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.983{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014035397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.971{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 734700x800000000000000014035372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.670{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014035338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.670{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014035303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.668{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014035261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.550{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 734700x800000000000000014035236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.533{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 734700x800000000000000014035208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.530{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014035181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.529{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 354300x800000000000000014035990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:45.781{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61923-false104.26.4.223-443https 734700x800000000000000014036399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.257{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014036370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.256{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 734700x800000000000000014036343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.254{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014036318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.250{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014036290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.245{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014036265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.229{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014036261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.230{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014036234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.228{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014036215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.271{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014036214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.270{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014036213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.269{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014036206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.216{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014036185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.258{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014036184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.257{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014036183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.257{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014036182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.257{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014036180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.216{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014036177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.216{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000014036154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.255{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014036153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.255{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014036152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.255{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014036151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.255{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014036150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.255{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014036149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.254{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014036148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.252{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014036147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.251{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014036146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.251{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014036145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:33.251{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014036144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.251{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014036143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:33.251{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014036142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.250{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014036133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.214{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 13241300x800000000000000014036112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:33.247{8B6011A9-B6E1-6154-CA16-02000000F001}7640C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014036110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.246{8B6011A9-B6E1-6154-CA16-02000000F001}7640C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014036109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.246{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014036073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.228{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014036072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.227{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014036071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.227{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014036070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.227{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014036069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.226{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014036066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.226{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014036065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.226{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014036064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.225{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014036057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.225{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014036047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.225{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014036037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.224{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014036034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.224{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014036033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.224{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014036031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.223{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014036030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.214{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 734700x800000000000000014036029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.223{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014036027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.222{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014036025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.222{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014036024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.222{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014036022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.221{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014036019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.221{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014036018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.220{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014036017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.220{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014036015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.220{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000014036014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.220{8B6011A9-B6DE-6154-C716-02000000F001}464010200C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B6E1-6154-CA16-02000000F001}7640C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014036013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.220{8B6011A9-B6E1-6154-CA16-02000000F001}7640C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014036012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.219{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014036011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.219{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014036010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.219{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014036009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.218{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014036008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.217{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014036007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.217{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014036006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.217{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014036005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.216{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014036004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.216{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014036003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.215{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014036002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.215{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014036000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.214{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 10341000x800000000000000014035998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.211{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014035997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.210{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005ED0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000087E6948) 154100x800000000000000014035996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.210{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 13241300x800000000000000014036511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:35.288{8B6011A9-B6E3-6154-CC16-02000000F001}8556C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014036509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.288{8B6011A9-B6E3-6154-CC16-02000000F001}8556C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014036491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.275{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exe 734700x800000000000000014036475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.270{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014036471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.270{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014036470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.269{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014036469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.269{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014036468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.269{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014036467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.269{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014036466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.269{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014036465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.269{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014036464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.268{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014036463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.268{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 22542200x800000000000000014036461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:49.629{8B6011A9-B6E1-6154-C916-02000000F001}6352snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 734700x800000000000000014036460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.268{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014036459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.267{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014036458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.267{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014036457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.267{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014036455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.267{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014036453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.267{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014036452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.266{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014036450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.266{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014036447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.266{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014036445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.265{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014036441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.264{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014036440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.264{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014036439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.264{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014036436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.263{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014036434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.263{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014036433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.263{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014036432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.262{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014036430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.262{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000014036429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.262{8B6011A9-B6DE-6154-C716-02000000F001}46408716C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B6E3-6154-CC16-02000000F001}8556C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014036428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.262{8B6011A9-B6E3-6154-CC16-02000000F001}8556C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014036427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.262{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014036426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.262{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014036425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.261{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014036424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.260{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014036423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.260{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014036422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.259{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014036421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:35.259{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014036420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:35.259{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014036419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.259{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014036418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.259{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014036417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.258{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014036416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.258{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014036415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.258{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014036414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.257{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014036413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.257{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014036412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.257{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014036411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.256{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014036410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.254{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014036409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.253{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000007460169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000087E68D0) 154100x800000000000000014036408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.253{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 534500x800000000000000014036749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.410{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe 734700x800000000000000014036747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.381{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 734700x800000000000000014036719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.378{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 10341000x800000000000000014036694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014036693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014036692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014036691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014036690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014036689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014036688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014036687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014036686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.383{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014036685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.383{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014036684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.383{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014036683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.383{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014036682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.382{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014036681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.382{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014036680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.382{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014036679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.381{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 18141800x800000000000000014036678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-29 18:56:37.379{8B6011A9-B6DE-6154-C716-02000000F001}4640\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014036670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.372{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 734700x800000000000000014036648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.364{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 10341000x800000000000000014036624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014036623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014036622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014036621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014036620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014036619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014036618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014036617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.365{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014036616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.365{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014036615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.365{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014036614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.365{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014036613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.365{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 11241100x800000000000000014036611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.362{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 10341000x800000000000000014036610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014036609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014036608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014036607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 734700x800000000000000014036606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.354{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 10341000x800000000000000014036605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014036604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014036603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014036600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.344{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 734700x800000000000000014036574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.348{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 534500x800000000000000014036571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.334{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exe 734700x800000000000000014036570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.329{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014036569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014036568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014036567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014036566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014036565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014036564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014036563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014036562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.327{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014036561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.327{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014036560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.326{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014036559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.326{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014036558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.326{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014036557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.326{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014036556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.325{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014036555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.325{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014036554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.325{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014036553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.324{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014036552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.324{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014036551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.324{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014036550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.323{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014036549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.323{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014036548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.323{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014036547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.322{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014036546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.322{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014036545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.322{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014036544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.322{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014036543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.321{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014036542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.321{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014036541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.321{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014036540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.320{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014036539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.319{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014036538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.319{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014036537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.318{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014036536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.318{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014036535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.318{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014036534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.317{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014036533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.317{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014036532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.317{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014036531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.317{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014036530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.316{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014036529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.316{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014036528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.316{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014036527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.313{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014036526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.312{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000075D0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000034291B8) 154100x800000000000000014036525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.313{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014041484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.962{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014041432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.960{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014041405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.959{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014041376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.958{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x800000000000000014041347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.957{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 12241200x800000000000000014041315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.957{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014041314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.957{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014041313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.956{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014041312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.711{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014041311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.711{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014041310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.710{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014041301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.595{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 734700x800000000000000014041275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.578{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 734700x800000000000000014041249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.574{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014041222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.573{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014041203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.571{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 13241300x800000000000000014041179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.579{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.579{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.579{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.579{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.579{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.579{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x800000000000000014041172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.576{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014041171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.576{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014041170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014041169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014041168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014041167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014041166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014041165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014041164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014041163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014041162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014041161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 734700x800000000000000014041157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.570{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014041150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014041127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.554{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 12241200x800000000000000014041104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.554{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014041094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.542{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014041069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.538{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014041048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.535{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014041040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.535{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014041039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.533{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014041038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.532{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014041037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.532{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014041035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014041034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014041033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014041032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014041031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014041030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014041029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014041028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.530{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014041027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.530{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014041026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.530{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000014041025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.530{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000014041024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.530{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014041023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.530{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014041022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.529{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014041021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.529{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000014041020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.529{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014041019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.528{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014041016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.520{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014041015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.520{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014041014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.519{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014041013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.517{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014041012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.517{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014041011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.517{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014041010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.514{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014041009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.513{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014041008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.512{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014041007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.512{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014041006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.512{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014041005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.511{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014041004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.510{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014041003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.509{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014040998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.507{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014040991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.491{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014040987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.506{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014040976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.506{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014040975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.506{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014040974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.505{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014040973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.505{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014040972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.505{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014040971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.505{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014040969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.503{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014040966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.503{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 734700x800000000000000014040964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.487{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014040943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.502{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014040942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.501{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014040941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.501{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014040940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.501{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014040939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.500{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014040938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.498{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014040922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.483{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014040905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.495{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014040903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.495{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014040902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.494{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014040900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.493{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014040899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.493{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014040895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.492{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014040890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.488{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 12241200x800000000000000014040883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.486{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014040882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.486{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014040880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.486{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014040871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.484{8B6011A9-51ED-6143-1600-00000000F001}13247708C:\Windows\System32\svchost.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014040870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.484{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014040868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.482{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014040866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.479{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000014040861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.478{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014040860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.478{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014040858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.478{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014040857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.477{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014040856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.477{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014040855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.477{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014040854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.476{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 13241300x800000000000000014040853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.476{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b564-0x1fc034b6) 734700x800000000000000014040850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.476{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014040849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.476{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014040848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.476{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014040847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.475{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014040846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.475{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014040845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.475{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014040844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.474{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014040841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.474{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014040839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.473{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014040836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.472{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014040832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.472{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014040831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.472{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000014040830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.470{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014040829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.470{8B6011A9-EF7D-6151-C8C2-01000000F001}86488952C:\Windows\explorer.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014040828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.470{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 734700x800000000000000014042043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.995{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014042039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.992{8B6011A9-B78F-6154-E916-02000000F001}9532C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014042037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.991{8B6011A9-B78F-6154-E916-02000000F001}9532C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014041988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.963{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000014041986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.958{8B6011A9-B78F-6154-E816-02000000F001}98126564C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B78F-6154-E916-02000000F001}9532C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014041985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.958{8B6011A9-B78F-6154-E916-02000000F001}9532C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014041984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.954{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014041983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.953{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000014041982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.944{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014041981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.944{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014041980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.943{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014041979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.941{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014041947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.924{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014041946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.923{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014041945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.921{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014041944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.920{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000014041943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.919{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014041942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.919{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014041941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.919{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014041940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.919{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 734700x800000000000000014041933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.636{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014041932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.636{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014041931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.635{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014041930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.511{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000014041929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.499{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.499{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.499{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.498{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014041925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000014041924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014041923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014041922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014041921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014041920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014041919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014041918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014041917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014041916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014041915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.496{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014041914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.496{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014041913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.496{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014041912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.496{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014041911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.496{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014041910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.495{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014041909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.494{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014041908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.494{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000014041907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.481{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014041906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.481{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014041905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.471{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014041904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.470{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000014041903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.470{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.470{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.470{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.470{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.469{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.469{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.469{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.467{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014041895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.466{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000014041894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.465{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014041893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.464{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014041892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.464{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014041890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014041889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014041888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014041887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014041886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014041885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014041884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014041883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.462{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014041882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.462{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014041881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.462{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014041880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.462{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014041879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.461{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014041878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.461{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000014041877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.460{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014041876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.460{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000014041875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.460{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014041874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.460{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014041873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.454{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014041872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.454{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014041871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.453{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000014041870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.451{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014041869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.451{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014041868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.446{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014041867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.445{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014041866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.443{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014041865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.427{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014041864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.426{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014041863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.426{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014041862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.424{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014041861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.423{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014041860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.420{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014041859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.420{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014041858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.415{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014041857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.412{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014041856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.410{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014041855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.367{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014041854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.365{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014041853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.208{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014041852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.207{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014041851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.207{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014041850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.206{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014041849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.205{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014041848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.205{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014041847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.204{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014041846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.202{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014041845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.202{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014041844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.202{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014041843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.202{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014041842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.201{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014041840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.200{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014041838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.199{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014041837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.198{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014041836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.197{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014041835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.196{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014041834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.196{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014041833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.196{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014041832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.195{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014041831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.194{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014041830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.194{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014041829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.193{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014041828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.193{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014041827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.190{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014041826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.188{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014041825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.187{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014041824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.179{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014041823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.163{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014041820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.156{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014041819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.152{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014041818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.147{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014041817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.136{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014041816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.134{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014041815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.133{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014041814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.121{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014041813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.118{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014041812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.117{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014041811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.116{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014041810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.110{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014041809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.108{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014041808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.102{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014041807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.097{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014041806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.084{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014041805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.083{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014041804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.082{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014041803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.082{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014041798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.082{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014041752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.077{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014041751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.077{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014041723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.072{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014041722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.068{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 534500x800000000000000014041669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.060{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exe 734700x800000000000000014041641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.054{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014041640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.053{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014041638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.052{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014041637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.052{8B6011A9-B78E-6154-E616-02000000F001}86529228C:\Windows\System32\WScript.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014041636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.052{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014041610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.048{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014041609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.048{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014041582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.041{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 354300x800000000000000014042056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:42.758{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62015-false104.26.4.223-443https 22542200x800000000000000014042048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:43.833{8B6011A9-B78F-6154-E816-02000000F001}9812paste.ee0::ffff:104.26.4.223;::ffff:104.26.5.223;::ffff:172.67.68.88;C:\Windows\SysWOW64\wscript.exe 534500x800000000000000014042165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.044{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exe 13241300x800000000000000014042161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:30.040{8B6011A9-B792-6154-EB16-02000000F001}4256C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014042159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.040{8B6011A9-B792-6154-EB16-02000000F001}4256C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014042157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.039{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014042154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.038{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014042153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.038{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014042152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.038{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014042150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.037{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014042130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.024{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014042127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.024{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014042116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.020{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.020{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.020{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.019{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014042111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.019{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014042110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.019{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014042109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.018{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014042107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.018{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014042105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.018{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014042104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.017{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014042102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.017{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014042100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.017{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014042097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.016{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014042095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.016{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014042092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.015{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014042091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.015{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014042089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.015{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014042087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.014{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014042085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.014{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014042084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.014{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014042083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.013{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014042081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.013{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000014042080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.013{8B6011A9-B78F-6154-E816-02000000F001}98129768C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B792-6154-EB16-02000000F001}4256C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014042079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.013{8B6011A9-B792-6154-EB16-02000000F001}4256C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014042078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.013{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014042077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.012{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014042076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.012{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014042075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.011{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014042074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.011{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014042073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.010{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014042072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:30.010{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014042071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.010{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014042070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:30.010{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014042069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.010{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014042068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.009{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014042067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.009{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014042066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.008{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014042065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.008{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014042064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.008{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014042063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.007{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014042062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.007{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014042061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.005{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014042060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.004{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005440169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000AA3A80) 154100x800000000000000014042059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.004{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 13241300x800000000000000014042300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:32.084{8B6011A9-B794-6154-ED16-02000000F001}6472C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014042298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.083{8B6011A9-B794-6154-ED16-02000000F001}6472C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014042275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.069{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exe 734700x800000000000000014042261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.065{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014042260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014042259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014042258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014042257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014042255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014042251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.063{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014042250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.063{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014042249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.063{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014042247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.062{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014042245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.062{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014042244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.062{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014042242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.062{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014042240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.061{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014042238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.061{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014042236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.061{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014042234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.060{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014042232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.060{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014042229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.059{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014042227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.059{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014042225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.058{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014042224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.058{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014042223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.058{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014042221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.057{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 10341000x800000000000000014042220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.057{8B6011A9-B78F-6154-E816-02000000F001}98127396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B794-6154-ED16-02000000F001}6472C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000014042219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.057{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 154100x800000000000000014042218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.057{8B6011A9-B794-6154-ED16-02000000F001}6472C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014042217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.057{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014042216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.057{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014042215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.056{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014042214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.056{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014042213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.055{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014042212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.055{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014042211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.054{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014042210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:32.054{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014042209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.054{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014042208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:32.053{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014042207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.053{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014042206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.053{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014042205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.053{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014042204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.052{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014042203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.052{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014042202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.052{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014042201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.051{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014042200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.051{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014042199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.048{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014042198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.048{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000056A0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000AA3AB0) 154100x800000000000000014042197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.048{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 534500x800000000000000014042411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.214{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014042408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.191{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014042407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.191{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014042406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.191{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014042405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.191{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014042404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.191{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014042403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014042402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014042401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014042400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014042399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014042398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014042397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014042396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.189{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014042395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.189{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014042394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.189{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014042393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.189{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014042392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.188{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000014042391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-29 18:59:34.188{8B6011A9-B78F-6154-E816-02000000F001}9812\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014042390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.187{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000014042389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.187{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000014042388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.184{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014042387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.183{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014042386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.183{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014042385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.183{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014042384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014042383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014042382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014042381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014042380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014042379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014042378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014042377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014042376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.181{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000014042375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.181{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014042374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.181{8B6011A9-B78F-6154-E816-02000000F001}9812ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014042373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.179{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014042372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.178{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014042371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.178{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014042370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.178{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014042369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.178{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014042368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.178{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014042367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.178{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014042366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.175{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000014042365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.173{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014042364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.156{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000014042363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.148{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exe 734700x800000000000000014042362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.145{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014042361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.144{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014042360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.144{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014042359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.144{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014042358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.144{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.144{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014042356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.144{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.143{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014042354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.143{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014042353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.143{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014042352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.143{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014042351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.142{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014042350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.142{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014042349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.142{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014042348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.141{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014042347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.141{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014042346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.141{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014042345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.141{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014042344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.140{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014042343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.140{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014042342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.139{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014042341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.139{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014042340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.139{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014042339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.139{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014042338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.138{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014042337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.138{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014042336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.138{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014042335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.137{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014042334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.137{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014042333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.137{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014042332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.137{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014042331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.136{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014042330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.135{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014042329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.135{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014042328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.134{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014042327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.134{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014042326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.134{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014042325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.134{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014042324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.133{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014042323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.133{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014042322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.133{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014042321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.132{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014042320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.132{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014042319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.130{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014042318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.129{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000006BA0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000AA3AE0) 154100x800000000000000014042317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.129{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014049280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:20.640{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014049279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:20.640{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 354300x800000000000000014049413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:35.925{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62265-false46.43.90.184-7676- 734700x800000000000000014049459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.161{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=31B320D99570E7D6FFE82CED32FD3863,SHA256=66782B6B23A96A8CA8D1B6EEACA4296683B90DB006015D00DBC4E3B8D51B5995trueMicrosoft WindowsValid 734700x800000000000000014049458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.126{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014049457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.126{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014049456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.126{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 10341000x800000000000000014049455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.115{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014049454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.115{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014049453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.115{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 354300x800000000000000014049470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:48.701{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62280-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 534500x800000000000000014050125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.822{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe 11241100x800000000000000014050124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.820{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Users\Administrator\AppData\Local\Temp\2\tysnoiedjtmjqhceqdokgxyizdb2021-09-29 19:07:50.819 10341000x800000000000000014050121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.818{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.818{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-823B-6153-58F2-01000000F001}6948C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.818{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-55EC-01000000F001}1288C:\Program Files\OpenJDK\jdk-17\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.818{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-54EC-01000000F001}944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.818{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-53EC-01000000F001}2752C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.818{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-03CE-6152-6BC5-01000000F001}5616C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-EF7E-6151-CAC2-01000000F001}7568C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-EF7D-6151-C9C2-01000000F001}8792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-74DF-614B-81FF-00000000F001}7172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-74DF-614B-80FF-00000000F001}5360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-732C-614B-EFFE-00000000F001}8120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-7322-614B-EAFE-00000000F001}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-731A-614B-E9FE-00000000F001}6496C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-7319-614B-E8FE-00000000F001}7124C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-7308-614B-E6FE-00000000F001}7888C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-72C8-614B-DCFE-00000000F001}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-6F8B-614B-57FE-00000000F001}5432C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-6F8B-614B-56FE-00000000F001}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-28AA-614B-6AF5-00000000F001}5236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-28AA-614B-69F5-00000000F001}2456C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-284B-614B-48F5-00000000F001}2824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-284B-614B-47F5-00000000F001}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2691-614B-10F5-00000000F001}5132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2691-614B-0FF5-00000000F001}6436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2539-614B-DAF4-00000000F001}7548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2539-614B-D9F4-00000000F001}4792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2491-614B-C4F4-00000000F001}2720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2491-614B-C3F4-00000000F001}6928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-9D25-614A-D7E4-00000000F001}3984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-9D25-614A-D6E4-00000000F001}7188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-9918-614A-56E4-00000000F001}3868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-988D-614A-16E4-00000000F001}2416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97DA-614A-DBE3-00000000F001}6016C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D5E3-00000000F001}7952C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D4E3-00000000F001}6812C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D2E3-00000000F001}5600C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D1-614A-D1E3-00000000F001}8072C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-300B-614A-57D4-00000000F001}7096C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-300B-614A-56D4-00000000F001}4212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B6A6-6148-C6A7-00000000F001}5816C:\Windows\syswow64\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B669-6148-BEA7-00000000F001}4596C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B669-6148-BDA7-00000000F001}5640C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B668-6148-BCA7-00000000F001}2096C:\Windows\SysWOW64\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5E83-6143-0A07-00000000F001}5748C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CD06-00000000F001}2812C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CB06-00000000F001}5084C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CA06-00000000F001}504C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE5-6143-C906-00000000F001}5096C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x800000000000000014050072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 10341000x800000000000000014050071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE5-6143-C806-00000000F001}4884C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x800000000000000014050070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.803{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=3E0252D377C7905383A3780B13495CA9,SHA256=FD24AD22E174873DEDC5BB091A9E32CF2689063C5B18E79615B3B52081582FADtrueMicrosoft WindowsValid 734700x800000000000000014050069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.803{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\vaultcli.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=409A29B1256F511E902B06665240FAB6,SHA256=5E2D6AC618928A94A5BCD13ECD8A4F7CD886A2FF14D745A5E5D254712360D07DtrueMicrosoft WindowsValid 734700x800000000000000014050068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.801{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\pstorec.dll10.0.14393.0 (rs1_release.160715-1616)Deprecated Protected Storage COM interfacesMicrosoft® Windows® Operating SystemMicrosoft Corporationpstorec.dllMD5=41AFC2542BE18E3DDE3F40946958D4AD,SHA256=4A526B86E47EA9DE7081A90B1473487F23FA74AF18D4FF8CA2A08EEEC08A8FEFtrueMicrosoft WindowsValid 734700x800000000000000014050067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.800{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014050066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.799{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014050065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.799{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 13241300x800000000000000014050064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:07:50.796{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014050063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:07:50.796{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014050062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:07:50.796{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000014050061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.795{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014050060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.795{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014050059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.793{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 10341000x800000000000000014050058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.793{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014050057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.792{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014050056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.792{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-823B-6153-58F2-01000000F001}6948C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-55EC-01000000F001}1288C:\Program Files\OpenJDK\jdk-17\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-54EC-01000000F001}944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-53EC-01000000F001}2752C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-03CE-6152-6BC5-01000000F001}5616C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-EF7E-6151-CAC2-01000000F001}7568C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-EF7D-6151-C9C2-01000000F001}8792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-74DF-614B-81FF-00000000F001}7172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-74DF-614B-80FF-00000000F001}5360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-732C-614B-EFFE-00000000F001}8120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-7322-614B-EAFE-00000000F001}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-731A-614B-E9FE-00000000F001}6496C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-7319-614B-E8FE-00000000F001}7124C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-7308-614B-E6FE-00000000F001}7888C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-72C8-614B-DCFE-00000000F001}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-6F8B-614B-57FE-00000000F001}5432C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-6F8B-614B-56FE-00000000F001}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-28AA-614B-6AF5-00000000F001}5236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-28AA-614B-69F5-00000000F001}2456C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-284B-614B-48F5-00000000F001}2824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-284B-614B-47F5-00000000F001}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2691-614B-10F5-00000000F001}5132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2691-614B-0FF5-00000000F001}6436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2539-614B-DAF4-00000000F001}7548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2539-614B-D9F4-00000000F001}4792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2491-614B-C4F4-00000000F001}2720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2491-614B-C3F4-00000000F001}6928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-9D25-614A-D7E4-00000000F001}3984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-9D25-614A-D6E4-00000000F001}7188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-9918-614A-56E4-00000000F001}3868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-988D-614A-16E4-00000000F001}2416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97DA-614A-DBE3-00000000F001}6016C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D5E3-00000000F001}7952C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D4E3-00000000F001}6812C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D2E3-00000000F001}5600C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D1-614A-D1E3-00000000F001}8072C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-300B-614A-57D4-00000000F001}7096C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-300B-614A-56D4-00000000F001}4212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B6A6-6148-C6A7-00000000F001}5816C:\Windows\syswow64\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B669-6148-BEA7-00000000F001}4596C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B669-6148-BDA7-00000000F001}5640C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B668-6148-BCA7-00000000F001}2096C:\Windows\SysWOW64\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5E83-6143-0A07-00000000F001}5748C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CD06-00000000F001}2812C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.786{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CB06-00000000F001}5084C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.786{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CA06-00000000F001}504C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.786{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE5-6143-C906-00000000F001}5096C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 734700x800000000000000014050007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.786{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 10341000x800000000000000014050006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.786{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE5-6143-C806-00000000F001}4884C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 534500x800000000000000014050005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.742{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exe 11241100x800000000000000014050004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.741{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Users\Administrator\AppData\Local\Temp\2\ebffoaoexbenavqizobmrctzijlschk2021-09-29 19:07:50.740 734700x800000000000000014050003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.740{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014050002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.739{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014050001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.739{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 10341000x800000000000000014050000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.738{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014049999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.738{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014049998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.737{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.737{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.737{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-8A88-6153-59F3-01000000F001}9584C:\Windows\SysWOW64\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.737{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-823B-6153-58F2-01000000F001}6948C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.737{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-55EC-01000000F001}1288C:\Program Files\OpenJDK\jdk-17\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.737{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-54EC-01000000F001}944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-53EC-01000000F001}2752C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-03CE-6152-6BC5-01000000F001}5616C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-EF7E-6151-CAC2-01000000F001}7568C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-EF7D-6151-C9C2-01000000F001}8792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-74DF-614B-81FF-00000000F001}7172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-74DF-614B-80FF-00000000F001}5360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-732C-614B-EFFE-00000000F001}8120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-7322-614B-EAFE-00000000F001}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-731A-614B-E9FE-00000000F001}6496C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-7319-614B-E8FE-00000000F001}7124C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-7308-614B-E6FE-00000000F001}7888C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-72C8-614B-DCFE-00000000F001}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-6F8B-614B-57FE-00000000F001}5432C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-6F8B-614B-56FE-00000000F001}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-28AA-614B-6AF5-00000000F001}5236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-28AA-614B-69F5-00000000F001}2456C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-284B-614B-48F5-00000000F001}2824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-284B-614B-47F5-00000000F001}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-2691-614B-10F5-00000000F001}5132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-2691-614B-0FF5-00000000F001}6436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-2539-614B-DAF4-00000000F001}7548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-2539-614B-D9F4-00000000F001}4792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-2491-614B-C4F4-00000000F001}2720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-2491-614B-C3F4-00000000F001}6928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-9D25-614A-D7E4-00000000F001}3984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-9D25-614A-D6E4-00000000F001}7188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-9918-614A-56E4-00000000F001}3868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 734700x800000000000000014049941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.725{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\pstorec.dll10.0.14393.0 (rs1_release.160715-1616)Deprecated Protected Storage COM interfacesMicrosoft® Windows® Operating SystemMicrosoft Corporationpstorec.dllMD5=41AFC2542BE18E3DDE3F40946958D4AD,SHA256=4A526B86E47EA9DE7081A90B1473487F23FA74AF18D4FF8CA2A08EEEC08A8FEFtrueMicrosoft WindowsValid 10341000x800000000000000014049940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-988D-614A-16E4-00000000F001}2416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-97DA-614A-DBE3-00000000F001}6016C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D5E3-00000000F001}7952C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D4E3-00000000F001}6812C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D2E3-00000000F001}5600C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-97D1-614A-D1E3-00000000F001}8072C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-300B-614A-57D4-00000000F001}7096C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-300B-614A-56D4-00000000F001}4212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-1840-614A-67D1-00000000F001}5000C:\Windows\system32\fontdrvhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-B6A6-6148-C6A7-00000000F001}5816C:\Windows\syswow64\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-B669-6148-BEA7-00000000F001}4596C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-B669-6148-BDA7-00000000F001}5640C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-B668-6148-BCA7-00000000F001}2096C:\Windows\SysWOW64\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-84D4-6143-AE0B-00000000F001}5484C:\Windows\PSEXESVC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5E83-6143-0A07-00000000F001}5748C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CD06-00000000F001}2812C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CB06-00000000F001}5084C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CA06-00000000F001}504C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE5-6143-C906-00000000F001}5096C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE5-6143-C806-00000000F001}4884C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE4-6143-C406-00000000F001}4312C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE3-6143-C206-00000000F001}4648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5278-6143-9200-00000000F001}3168C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-520E-6143-7600-00000000F001}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5208-6143-6D00-00000000F001}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FF-6143-4700-00000000F001}3708C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FF-6143-4400-00000000F001}3644C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FE-6143-3700-00000000F001}3320C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-3300-00000000F001}2468C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-3000-00000000F001}1948C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2F00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2D00-00000000F001}3004C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2C00-00000000F001}2996C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2B00-00000000F001}2988C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2A00-00000000F001}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2900-00000000F001}2972C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2800-00000000F001}2964C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2700-00000000F001}2860C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2600-00000000F001}2840C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2500-00000000F001}2772C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51F7-6143-2300-00000000F001}2612C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51F1-6143-2100-00000000F001}2500C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51F1-6143-2000-00000000F001}2492C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 534500x800000000000000014049896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exe 10341000x800000000000000014049895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51EE-6143-1D00-00000000F001}2072C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1700-00000000F001}1484C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1600-00000000F001}1324C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1400-00000000F001}1048C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1300-00000000F001}388C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1100-00000000F001}420C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1000-00000000F001}96C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-0F00-00000000F001}300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-0E00-00000000F001}1012C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-0D00-00000000F001}908C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-0C00-00000000F001}852C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51EB-6143-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51EB-6143-0900-00000000F001}572C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 11241100x800000000000000014049880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.730{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Users\Administrator\AppData\Local\Temp\2\gvlyptzyljwsdcmmiyofuonprydtwsbygd2021-09-29 19:07:50.730 734700x800000000000000014049879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.728{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014049878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.728{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014049877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.728{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 10341000x800000000000000014049876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.727{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014049875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.727{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014049874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.725{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014049872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.725{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014049870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.724{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014049869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.723{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014049868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.716{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014049867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.715{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014049843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.700{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014049842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.699{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014049841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_e8ebe5c0ed79850d\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=DB9EEA6E4C32315294D22E0C86077356,SHA256=7A60A27BB6178CDF126AFB37DE5AD77F687C33B4326624962CEE26F7361ADC6AtrueMicrosoft WindowsValid 734700x800000000000000014049840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.698{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014049839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.691{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_e8ebe5c0ed79850d\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=DB9EEA6E4C32315294D22E0C86077356,SHA256=7A60A27BB6178CDF126AFB37DE5AD77F687C33B4326624962CEE26F7361ADC6AtrueMicrosoft WindowsValid 734700x800000000000000014049838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.698{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014049837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.689{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_e8ebe5c0ed79850d\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=DB9EEA6E4C32315294D22E0C86077356,SHA256=7A60A27BB6178CDF126AFB37DE5AD77F687C33B4326624962CEE26F7361ADC6AtrueMicrosoft WindowsValid 734700x800000000000000014049836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.698{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014049835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.698{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014049834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.698{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014049833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.697{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014049832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.697{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014049831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.696{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014049830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.696{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014049829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.696{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014049828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.696{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014049827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.696{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014049826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.695{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014049825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.695{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014049824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.695{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014049823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.695{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014049822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.695{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014049821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.695{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValid 734700x800000000000000014049820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.694{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014049819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.694{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014049818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.694{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014049817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.694{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014049816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.693{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014049815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.693{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014049814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.693{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014049813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.693{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014049812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.693{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014049811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.693{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014049809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.692{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014049808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.692{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014049807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.692{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014049806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.692{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014049805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.692{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014049804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.692{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014049803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.691{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014049802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.691{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValid 734700x800000000000000014049801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.691{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014049800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.691{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014049799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.691{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014049798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014049797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014049796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014049795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014049794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014049793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014049792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014049791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.689{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014049790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.689{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014049789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.688{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValid 734700x800000000000000014049788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.684{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014049787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.683{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014049786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.683{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014049785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.682{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014049784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.682{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014049783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.681{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014049782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.681{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014049781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.681{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014049780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.681{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014049779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.680{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014049778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.679{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014049777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.679{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014049776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.679{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014049775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.678{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014049774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.678{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014049773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.678{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014049772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.678{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014049771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.677{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014049770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.677{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014049769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.677{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014049768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.677{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014049767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.677{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014049766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014049765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014049764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014049763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014049762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014049761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014049760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014049759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.675{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014049758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.675{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014049757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.675{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014049756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.675{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014049755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.675{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014049754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014049753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014049752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014049751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014049750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014049749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014049748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 734700x800000000000000014049747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014049746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014049745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014049744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014049743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000014049742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x800000000000000014049741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014049740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.672{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 10341000x800000000000000014049739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.672{8B6011A9-B6E1-6154-C916-02000000F001}63525384C:\Windows\winhlp32.exe{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\winhlp32.exe+14196(wow64)|C:\Windows\winhlp32.exe+1433b(wow64)|C:\Windows\winhlp32.exe+10537(wow64)|C:\Windows\winhlp32.exe+102d7(wow64)|C:\Windows\winhlp32.exe+4d84(wow64)|C:\Windows\winhlp32.exe+4c44(wow64)|C:\Windows\winhlp32.exe+101f5(wow64)|C:\Windows\winhlp32.exe+12a34(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x800000000000000014049738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.672{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 154100x800000000000000014049737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEC:\Windows\winhlp32.exe /stext "C:\Users\Administrator\AppData\Local\Temp\2\gvlyptzyljwsdcmmiyofuonprydtwsbygd"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 734700x800000000000000014049736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.672{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014049735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.672{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014049734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.672{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 734700x800000000000000014049733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.671{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014049732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.671{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 10341000x800000000000000014049731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.671{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x800000000000000014049730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.671{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 10341000x800000000000000014049729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.670{8B6011A9-B6E1-6154-C916-02000000F001}63525384C:\Windows\winhlp32.exe{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\winhlp32.exe+14196(wow64)|C:\Windows\winhlp32.exe+1433b(wow64)|C:\Windows\winhlp32.exe+104b4(wow64)|C:\Windows\winhlp32.exe+102d7(wow64)|C:\Windows\winhlp32.exe+4d84(wow64)|C:\Windows\winhlp32.exe+4c44(wow64)|C:\Windows\winhlp32.exe+101f5(wow64)|C:\Windows\winhlp32.exe+12a34(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000014049728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.671{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEC:\Windows\winhlp32.exe /stext "C:\Users\Administrator\AppData\Local\Temp\2\ebffoaoexbenavqizobmrctzijlschk"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 734700x800000000000000014049727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.670{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014049726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.670{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014049725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.669{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014049724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.668{8B6011A9-B6E1-6154-C916-02000000F001}63525384C:\Windows\winhlp32.exe{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\winhlp32.exe+14196(wow64)|C:\Windows\winhlp32.exe+1433b(wow64)|C:\Windows\winhlp32.exe+10428(wow64)|C:\Windows\winhlp32.exe+102d7(wow64)|C:\Windows\winhlp32.exe+4d84(wow64)|C:\Windows\winhlp32.exe+4c44(wow64)|C:\Windows\winhlp32.exe+101f5(wow64)|C:\Windows\winhlp32.exe+12a34(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000014049723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.669{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEC:\Windows\winhlp32.exe /stext "C:\Users\Administrator\AppData\Local\Temp\2\tysnoiedjtmjqhceqdokgxyizdb"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 354300x800000000000000014049697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:03.497{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62287-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 23542300x800000000000000014050128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:51.175{8B6011A9-B6E1-6154-C916-02000000F001}6352ATTACKRANGE\AdministratorC:\Windows\winhlp32.exeC:\Users\Administrator\AppData\Local\Temp\2\tysnoiedjtmjqhceqdokgxyizdbMD5=43CE8A8C022FF2D85D4BD19797EFFC55,SHA256=CCEA5FEEAFBD66FCB18CB159331BF9DAB676EAF1E2B90E069F53C16271774253falsetrue 534500x800000000000000014050689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.884{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exe 23542300x800000000000000014050688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.882{8B6011A9-B9AE-6154-3217-02000000F001}8908ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\rmfgfpdhwdikg.vbsMD5=2FCC53839A07381C433BEBE1F3BD1B7F,SHA256=71F0A43E515536C7786776AEAEDB1087E4675D4E7EDC83B36BC89327CF2571DDfalsetrue 734700x800000000000000014050687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.881{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014050686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.880{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014050685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.877{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014050684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.875{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014050683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.875{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014050682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.875{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014050681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.875{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014050680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.874{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014050679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.874{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014050678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.874{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014050677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.873{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014050676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.872{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014050675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.872{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014050674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.871{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014050673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.870{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014050672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.870{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014050671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.869{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014050670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.867{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014050669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.865{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014050668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.865{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014050667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.864{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014050666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.863{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014050665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.862{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014050664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.861{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014050663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.861{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014050662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.858{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014050661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.857{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014050660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.853{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014050659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.853{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014050658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.852{8B6011A9-51ED-6143-0C00-00000000F001}8528212C:\Windows\system32\svchost.exe{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014050657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.851{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014050656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.851{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014050655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.851{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014050654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.850{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014050653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.848{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014050652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.847{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014050651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.847{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014050650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.846{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014050649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.846{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014050648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.846{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014050647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.845{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014050646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.845{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014050645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.845{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014050644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.845{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014050643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.844{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014050642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.844{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014050641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.844{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014050640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.844{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014050639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.843{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014050638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.843{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014050637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.843{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014050636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.842{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014050635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.841{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014050634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.841{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 534500x800000000000000014050633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.840{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe 734700x800000000000000014050632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.840{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014050631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.840{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014050630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.840{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014050629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.840{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014050628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.839{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014050627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.839{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014050626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.839{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014050625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.838{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014050624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.838{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x800000000000000014050623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.838{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000014050622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.838{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 734700x800000000000000014050621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.837{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014050620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.837{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014050619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.836{8B6011A9-B6E1-6154-C916-02000000F001}63529348C:\Windows\winhlp32.exe{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014050618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.836{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\2\rmfgfpdhwdikg.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 13241300x800000000000000014050617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:08:30.833{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014050616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:08:30.833{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014050615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:08:30.832{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014050614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:08:30.832{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014050613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.831{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014050612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.822{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList 734700x800000000000000014050611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.821{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 12241200x800000000000000014050610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.818{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\RegisteredApplications 12241200x800000000000000014050609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.818{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\SOFTWARE\RegisteredApplications 13241300x800000000000000014050608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:08:30.818{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFileBinary Data 12241200x800000000000000014050607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.818{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids 12241200x800000000000000014050606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.818{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x800000000000000014050605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.815{8B6011A9-51ED-6143-0C00-00000000F001}8528212C:\Windows\system32\svchost.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014050604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.814{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014050603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.813{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014050602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.807{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014050601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.801{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014050599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.789{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 11241100x800000000000000014050598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.787{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\rmfgfpdhwdikg.vbs2021-09-29 19:08:30.787 12241200x800000000000000014050597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-09-29 19:08:30.787{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 534500x800000000000000014132846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.998{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exe 734700x800000000000000014132845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.998{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014132844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.997{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014132843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.997{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014132842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.997{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014132841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.996{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014132840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.995{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014132839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.995{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014132838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.994{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014132837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.993{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014132836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.993{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014132835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.993{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014132834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.993{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014132833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.992{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014132832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.992{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014132831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.991{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014132830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.991{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014132829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.991{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014132828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.990{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014132827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.990{8B6011A9-B9FB-6154-A419-02000000F001}17041164C:\Windows\System32\WScript.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014132826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.989{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014132825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.985{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014132824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.982{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014132823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.977{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014132708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.894{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014132707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.892{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014132706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.890{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014132705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.889{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014132704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.888{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014132703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.888{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014132702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.887{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000014132701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.887{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 10341000x800000000000000014132695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.850{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.850{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.812{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a9f81|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.812{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a9f6e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.812{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Users\Administrator\Downloads\procexp64.exe+a9e0f|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.805{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.805{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.804{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\winsta.dll+1178|C:\Windows\SYSTEM32\winsta.dll+10b5|C:\Users\Administrator\Downloads\procexp64.exe+a5184|C:\Users\Administrator\Downloads\procexp64.exe+a951e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.804{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a9381|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014132084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.606{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014132083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.605{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014132082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.604{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014132034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.494{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000014132032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.481{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.481{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.481{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.481{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.481{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.481{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014132026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.480{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014132025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014132024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014132023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014132022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014132021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014132020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014132019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014132018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014132017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014132016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014132015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014132014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014132013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014132012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.478{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014132011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.478{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014132010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.477{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014132009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.477{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 10341000x800000000000000014132004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.468{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.468{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000014131944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.463{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014131938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.463{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014131830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.452{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014131828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014131827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.449{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014131814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.448{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014131808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.447{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014131807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.446{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014131806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.446{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014131801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014131800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014131799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014131798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014131797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014131795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014131794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014131793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.444{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 13241300x800000000000000014131792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.444{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014131791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.444{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014131790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.444{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000014131789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.444{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014131788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.444{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014131787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.443{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014131786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.443{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000014131785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.443{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014131784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.443{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014131783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.442{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014131781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.442{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014131778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.441{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014131771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.439{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014131770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.439{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014131768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.438{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014131760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.435{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014131749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.431{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 10341000x800000000000000014131739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.427{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014131738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.427{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014131553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.399{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014131529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.378{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014131528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.378{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014131527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.377{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014131526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.375{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014131524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.361{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014131515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.357{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014131514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.357{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014131513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.356{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014131512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.356{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014131511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.356{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014131510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.355{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014131507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.355{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014131505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.355{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014131504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.354{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014131503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.354{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000014131502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.353{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014131501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.353{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014131500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.352{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014131499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.352{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014131498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.351{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014131497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.350{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014131496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.349{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014131495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.349{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014131494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.349{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014131490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.348{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014131488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.347{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014131477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.342{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014131476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.341{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014131470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.339{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014131468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.338{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014131466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.337{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014131465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.337{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014131458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.336{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014131455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.334{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014131454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.334{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014131453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.334{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014131451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.333{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014131447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.330{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 13241300x800000000000000014131445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.330{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b565-0x91cf106c) 734700x800000000000000014131441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.329{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014131440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.329{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014131439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.328{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014131438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.328{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014131437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.328{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014131436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.328{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014131435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.327{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014131434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.327{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014131432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.327{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014131431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.327{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014131430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.326{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014131429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.326{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014131428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.326{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014131427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.326{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014131424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.325{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014131418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.324{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014131416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.324{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014131407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.323{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014131405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.323{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000014131399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.322{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014131398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.321{8B6011A9-EF7D-6151-C8C2-01000000F001}86488760C:\Windows\explorer.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014131397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.320{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 10341000x800000000000000014134897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.928{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.928{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.879{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.879{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.854{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a9f81|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.854{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a9f6e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.854{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Users\Administrator\Downloads\procexp64.exe+a9e0f|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.848{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\winsta.dll+1178|C:\Windows\SYSTEM32\winsta.dll+10b5|C:\Users\Administrator\Downloads\procexp64.exe+a5184|C:\Users\Administrator\Downloads\procexp64.exe+a951e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.848{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a9381|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014134343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.792{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014134339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.788{8B6011A9-B9FC-6154-B919-02000000F001}8232C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014134337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.787{8B6011A9-B9FC-6154-B919-02000000F001}8232C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 10341000x800000000000000014134159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.655{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.654{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014133966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.629{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000014133962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.628{8B6011A9-B9FB-6154-AE19-02000000F001}76284620C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B9FC-6154-B919-02000000F001}8232C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014133961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.628{8B6011A9-B9FC-6154-B919-02000000F001}8232C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014133954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.623{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014133947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.621{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 10341000x800000000000000014133920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.609{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014133919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.609{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000014133903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.608{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014133899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.608{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014133888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.608{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014133741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.591{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014133677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.568{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014133671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.559{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014133670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.556{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014133669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.555{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000014133668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.553{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014133667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.553{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014133666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.552{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014133665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.549{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 10341000x800000000000000014133519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.397{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014133518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.397{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014133296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.355{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014133295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.355{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014133056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.250{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014133055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.250{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014133054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.248{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014132962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.136{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000014132961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.121{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.120{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.120{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.120{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014132957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.119{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000014132956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.117{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014132955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.117{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014132954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.117{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014132953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.117{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014132952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.117{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014132951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.117{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014132950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014132949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014132948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014132947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014132946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014132945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014132944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014132943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.115{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014132942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.114{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014132941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.113{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014132940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.111{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000014132939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.095{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014132938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.095{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014132935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.082{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014132934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000014132933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.078{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.076{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014132925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.076{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000014132924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.070{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014132923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.070{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014132922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.070{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000014132920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 13241300x800000000000000014132919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014132918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014132917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014132916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014132915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014132914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014132913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014132912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014132911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.067{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 13241300x800000000000000014132910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.066{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014132909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.066{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014132908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.066{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014132907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.066{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014132906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.065{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014132905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.065{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014132904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.064{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014132903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.063{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014132902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.062{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014132901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.060{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000014132900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.058{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.058{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014132898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.054{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014132897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.052{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014132896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.052{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014132895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.052{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014132894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.051{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014132893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.051{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014132892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.049{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014132891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.036{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014132890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.032{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014132889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.032{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014132888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.031{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014132887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.031{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014132886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.031{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014132885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.031{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014132884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.030{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014132883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.030{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014132882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.027{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014132881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.024{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014132880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.023{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014132879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.022{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014132878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.022{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014132877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.020{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014132876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.018{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014132875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.018{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014132874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.018{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014132873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.017{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014132872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.016{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014132871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.016{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014132870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.011{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014132869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.010{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014132868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.009{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014132867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.008{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014132866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.008{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014132865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.008{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014132864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.007{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.006{8B6011A9-51ED-6143-1600-00000000F001}13242576C:\Windows\System32\svchost.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.006{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014132861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.005{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014132860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.005{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014132859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.002{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014132858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.001{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014132857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.001{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014132856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.001{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014132855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.000{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014132854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.000{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014132853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.000{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014132852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.999{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014132851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.999{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014132850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.999{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014132849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.998{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014132848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.998{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014132847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.998{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 10341000x800000000000000014137274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.938{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.938{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.910{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.910{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.910{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.896{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.896{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.696{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.696{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.657{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.657{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.456{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.456{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014135807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.415{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014135806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.415{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014135465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.198{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014135464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.198{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014135237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.158{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014135236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.157{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.963{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.962{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.962{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.962{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.950{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a9f81|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.950{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a9f6e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.949{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Users\Administrator\Downloads\procexp64.exe+a9e0f|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.940{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\winsta.dll+1178|C:\Windows\SYSTEM32\winsta.dll+10b5|C:\Users\Administrator\Downloads\procexp64.exe+a5184|C:\Users\Administrator\Downloads\procexp64.exe+a951e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.940{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a9381|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.938{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.938{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.938{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.914{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.914{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.914{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.914{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014139195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.890{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014139194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.890{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014139193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.890{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014139192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.889{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014139191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.889{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014139190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.889{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014139189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.889{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014139187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.888{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014139164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.876{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014139157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.874{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014139155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.873{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 10341000x800000000000000014139137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.862{8B6011A9-B9FB-6154-AE19-02000000F001}76287620C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B9FE-6154-E519-02000000F001}7684C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014139136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.863{8B6011A9-B9FE-6154-E519-02000000F001}7684C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014139135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.861{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014139134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014139133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014139132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:50.859{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014139131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.859{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014139130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:50.859{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014139129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.859{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014139128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.859{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014139127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.858{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014139126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.858{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014139125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.858{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014139124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.857{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014139123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.857{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014139122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.857{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014139121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.854{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014139120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.854{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005910169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000316BA80) 154100x800000000000000014139119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.854{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 10341000x800000000000000014138984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.702{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014138983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.702{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014138757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.661{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014138756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.661{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x800000000000000014138417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:04.454{8B6011A9-B9FB-6154-AE19-02000000F001}7628paste.ee0::ffff:172.67.68.88;::ffff:104.26.5.223;::ffff:104.26.4.223;C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014138412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.457{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014138411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.457{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014138177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.413{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014138176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.413{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.204{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.204{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.162{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.162{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.990{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.990{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.990{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.726{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.726{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.726{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.726{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.686{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.686{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.686{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.686{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.474{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.474{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.473{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.473{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014140799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.460{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014140797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.459{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 10341000x800000000000000014140739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.433{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.433{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.433{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.433{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.232{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.232{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.232{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.232{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014140298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.226{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014140262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.224{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014140255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.224{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 12241200x800000000000000014140211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.214{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014140210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.214{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014140208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.214{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014140207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.213{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014140205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.213{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014140200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.212{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 12241200x800000000000000014140197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.212{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014140196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.211{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014140195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.211{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014140194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.211{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014140192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.211{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014140191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.211{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014140188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.210{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014140185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.209{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014140184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.208{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.208{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014140182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:51.207{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014140181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.207{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014140180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:51.207{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014140178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.207{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014140176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.207{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014140166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.203{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014140164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.202{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 10341000x800000000000000014140136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.191{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.191{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.191{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.191{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014140090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:51.189{8B6011A9-B9FE-6154-E519-02000000F001}7684C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014140082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.188{8B6011A9-B9FE-6154-E519-02000000F001}7684C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014140026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.185{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014140023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.184{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014140016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.184{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014139998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.183{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014139937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.168{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014139936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.168{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014139934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.167{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014139932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.167{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014139929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.165{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014139924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.163{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014139920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.162{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014139914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.157{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014139910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.156{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014139902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.153{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014139893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.150{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014139880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.143{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 354300x800000000000000014139876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:03.381{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62364-false172.67.68.88-443https 734700x800000000000000014139875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.125{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014139840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.081{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014139833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.079{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 10341000x800000000000000014143482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.983{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.983{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.983{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.983{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.573{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.573{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.573{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.573{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.338{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.338{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.338{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.338{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.293{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.293{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.293{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.293{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.065{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.065{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.065{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.065{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.022{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.022{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.022{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.021{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.004{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.004{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.003{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.003{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.990{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014143841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:53.288{8B6011A9-BA01-6154-061A-02000000F001}6804C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014143839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.288{8B6011A9-BA01-6154-061A-02000000F001}6804C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014143803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.271{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exe 734700x800000000000000014143801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.267{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014143800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.266{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014143799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.266{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014143798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.266{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014143797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.266{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014143796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.266{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014143795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.266{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014143794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.265{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014143793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.265{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014143792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.265{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014143791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.265{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014143790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.264{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014143789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.264{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014143787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.264{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014143785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.263{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014143784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.263{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014143782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.263{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014143780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.262{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014143777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.262{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014143775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.262{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014143772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.261{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014143771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.261{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014143768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.260{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014143766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.260{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014143765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.260{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014143764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.259{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014143762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.259{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 10341000x800000000000000014143761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.259{8B6011A9-B9FB-6154-AE19-02000000F001}76284932C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA01-6154-061A-02000000F001}6804C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014143760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.259{8B6011A9-BA01-6154-061A-02000000F001}6804C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014143759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.259{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014143758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.258{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014143757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.258{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014143756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.258{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014143755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.257{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014143754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.257{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014143753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.256{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014143752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:53.256{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014143751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:53.256{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014143750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.256{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014143749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.255{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014143748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.255{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014143747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.255{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014143746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.254{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014143745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.254{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014143744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.254{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014143743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.253{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014143742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.253{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014143741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.251{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014143740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.250{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005C30169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000003230DC0) 154100x800000000000000014143739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.251{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 22542200x800000000000000014143738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:07.598{8B6011A9-B9FE-6154-E419-02000000F001}1592snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 10341000x800000000000000014143736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.039{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.039{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.038{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.038{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.006{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.006{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.006{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.006{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000014143937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:06.748{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62367-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 10341000x800000000000000014143936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:54.059{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:54.059{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x800000000000000014144126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.398{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014144121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014144120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014144119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014144118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014144117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014144116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014144115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014144114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.365{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014144113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.365{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014144112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.365{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014144111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.365{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014144110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.365{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014144109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.365{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014144108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.364{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014144107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.364{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014144106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.364{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014144105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.363{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000014144104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-29 19:09:55.362{8B6011A9-B9FB-6154-AE19-02000000F001}7628\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014144103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.362{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000014144102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.356{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000014144101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.352{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014144100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.352{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014144099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.352{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014144098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014144097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014144096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014144095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014144094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014144093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014144092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014144091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014144090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014144089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.350{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000014144088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.348{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014144087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.348{8B6011A9-B9FB-6154-AE19-02000000F001}7628ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014144086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.346{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014144085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.346{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014144084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.346{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014144083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.346{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014144082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.346{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014144081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.346{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014144080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.345{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014144079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.339{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000014144078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.337{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014144077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.321{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000014144076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.316{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exe 734700x800000000000000014144075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.312{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014144074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.311{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014144073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.311{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014144072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.311{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014144071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.310{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014144070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.310{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014144069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.310{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014144068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.310{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014144067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.310{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014144066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.310{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014144065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.309{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014144064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.309{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014144063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.309{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014144062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.308{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014144061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.308{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014144060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.308{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014144059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.308{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014144058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.307{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014144057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.307{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014144056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.307{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014144055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.306{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014144054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.306{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014144053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.306{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014144052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.305{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014144051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.305{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014144050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.305{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014144049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.305{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014144048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.304{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014144047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.304{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014144046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.304{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014144045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.304{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014144044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.302{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014144043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.302{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014144042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.302{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014144041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.301{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014144040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.301{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014144039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.301{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014144038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.300{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014144037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.300{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014144036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.300{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014144035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.299{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014144034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.299{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014144033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.299{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014144032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.296{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014144031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.296{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005E50169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000003230D60) 154100x800000000000000014144030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.296{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 10341000x800000000000000014144029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.080{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.080{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:56.100{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:57.121{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:58.987{8B6011A9-B9EA-6154-7918-02000000F001}44888048C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+9a471|C:\Users\Administrator\Downloads\procexp64.exe+8efac|C:\Windows\System32\USER32.dll+15737|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+1a721|C:\Windows\System32\USER32.dll+1b5f7|C:\Windows\System32\USER32.dll+1bd41|C:\Users\Administrator\Downloads\procexp64.exe+93dfb|C:\Windows\System32\USER32.dll+15737|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+1a721|C:\Windows\System32\USER32.dll+1b5f7|C:\Windows\System32\USER32.dll+1bd41|C:\Users\Administrator\Downloads\procexp64.exe+94114|C:\Users\Administrator\Downloads\procexp64.exe+c7a04|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000014144417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:58.974{8B6011A9-B9EA-6154-7918-02000000F001}44888048C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+93c3d|C:\Windows\System32\USER32.dll+15737|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+1a721|C:\Windows\System32\USER32.dll+1b5f7|C:\Windows\System32\USER32.dll+1bd41|C:\Users\Administrator\Downloads\procexp64.exe+94114|C:\Users\Administrator\Downloads\procexp64.exe+c7a04|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:58.974{8B6011A9-B9EA-6154-7918-02000000F001}44888048C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+9a471|C:\Users\Administrator\Downloads\procexp64.exe+93b9b|C:\Windows\System32\USER32.dll+15737|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+1a721|C:\Windows\System32\USER32.dll+1b5f7|C:\Windows\System32\USER32.dll+1bd41|C:\Users\Administrator\Downloads\procexp64.exe+94114|C:\Users\Administrator\Downloads\procexp64.exe+c7a04|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:58.140{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:59.159{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:00.179{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:01.199{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:02.233{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:02.221{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:02.221{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:03.254{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:04.274{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:05.293{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:06.312{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:07.331{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:08.350{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:09.370{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:10.389{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:11.408{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:12.442{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:12.430{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:12.430{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:13.461{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:14.480{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:15.500{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:16.528{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:17.547{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:18.567{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:19.586{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:20.605{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:21.625{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:22.658{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:22.646{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:22.646{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x800000000000000014147531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.941{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exe 23542300x800000000000000014147530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.938{8B6011A9-BA1F-6154-0C1A-02000000F001}2540ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tdotjszundpkydpcqd.vbsMD5=2FCC53839A07381C433BEBE1F3BD1B7F,SHA256=71F0A43E515536C7786776AEAEDB1087E4675D4E7EDC83B36BC89327CF2571DDfalsetrue 734700x800000000000000014147529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.937{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014147528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.936{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014147527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.934{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014147526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.932{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014147525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.932{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014147524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.931{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014147523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.931{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014147522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.931{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014147521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.930{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014147520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.930{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014147519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.930{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014147518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.929{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014147517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.929{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014147516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.928{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014147515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.927{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014147514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.927{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014147513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.926{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014147512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.924{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014147511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.922{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014147510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.921{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014147509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.910{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014147508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.908{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014147507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.907{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014147506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.907{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014147505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.906{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014147504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.904{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014147503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.894{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014147502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.890{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014147501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.890{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014147500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.889{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.888{8B6011A9-51ED-6143-1600-00000000F001}13242576C:\Windows\System32\svchost.exe{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.888{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014147497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.887{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014147496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.887{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014147495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.885{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014147494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.884{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014147493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.883{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014147492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.883{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014147491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.882{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014147490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.882{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014147489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.882{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014147488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.882{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014147487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.881{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014147486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.881{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014147485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.881{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014147484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.880{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014147483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.880{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014147482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.880{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014147481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.880{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014147480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.879{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014147479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.879{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014147478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.879{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014147477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.878{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014147476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.878{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014147475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.877{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 534500x800000000000000014147474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.877{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe 734700x800000000000000014147473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.876{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014147472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.876{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014147471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.876{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014147470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.876{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014147469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.875{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014147468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.875{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014147467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.875{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014147466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.874{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x800000000000000014147465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.874{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000014147464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.874{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 734700x800000000000000014147463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.874{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014147462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.873{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014147461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.873{8B6011A9-B9FE-6154-E419-02000000F001}15929300C:\Windows\winhlp32.exe{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014147460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.873{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\2\tdotjszundpkydpcqd.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 13241300x800000000000000014147459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:23.870{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014147458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:23.870{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014147457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:23.869{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014147456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:23.869{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014147455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.869{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014147454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.861{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList 734700x800000000000000014147453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 12241200x800000000000000014147452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\RegisteredApplications 12241200x800000000000000014147451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\SOFTWARE\RegisteredApplications 13241300x800000000000000014147450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:23.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFileBinary Data 12241200x800000000000000014147449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids 12241200x800000000000000014147448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.859{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x800000000000000014147447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.857{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014147446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.856{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014147445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.855{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014147444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.849{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014147443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.843{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014147442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.843{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014147441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.843{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 10341000x800000000000000014147440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.831{8B6011A9-51ED-6143-1600-00000000F001}13242576C:\Windows\System32\svchost.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.831{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014147438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.831{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014147437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.830{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 11241100x800000000000000014147436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.829{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tdotjszundpkydpcqd.vbs2021-09-29 19:10:23.829 12241200x800000000000000014147435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-09-29 19:10:23.828{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 10341000x800000000000000014147424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.678{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014148297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.888{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014148296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.888{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014148295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.887{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 10341000x800000000000000014148294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.783{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a9f81|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.783{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a9f6e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.782{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Users\Administrator\Downloads\procexp64.exe+a9e0f|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.779{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\winsta.dll+1178|C:\Windows\SYSTEM32\winsta.dll+10b5|C:\Users\Administrator\Downloads\procexp64.exe+a5184|C:\Users\Administrator\Downloads\procexp64.exe+a951e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.779{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a9381|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014148237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.769{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000014148201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.746{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.746{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.746{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.745{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014148197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000014148196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014148195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014148194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014148193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014148192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014148191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014148190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014148189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014148188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014148187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014148186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014148185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014148184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014148183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014148182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.742{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014148181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.741{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014148180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.741{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000014148179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.727{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014148178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.727{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014148177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.717{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014148176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000014148175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.715{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.713{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014148167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.713{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000014148166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.711{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014148165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.711{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014148164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.711{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014148162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014148161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014148160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014148159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014148158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014148157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014148156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014148155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014148154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014148153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.708{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 13241300x800000000000000014148152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.708{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014148151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.708{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014148150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.708{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000014148149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.707{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014148148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.707{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000014148147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.707{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014148146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.707{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014148145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.701{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014148144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.701{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014148143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.700{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000014148142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.698{8B6011A9-51EB-6143-0B00-00000000F001}6328352C:\Windows\system32\lsass.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.698{8B6011A9-51EB-6143-0B00-00000000F001}6328352C:\Windows\system32\lsass.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014148140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.694{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014148139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.693{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014148138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.665{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014148137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.665{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014148136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.665{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014148135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.665{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014148134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.663{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014148133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.662{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014148132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.659{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014148131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.659{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014148130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.659{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014148129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.659{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014148128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.659{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014148127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.658{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014148126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.658{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014148125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.657{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014148124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.657{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014148123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.656{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014148122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.655{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014148121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.655{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014148120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.655{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014148119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.654{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014148118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.652{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014148117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.652{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014148116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.652{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014148115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.652{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014148114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.651{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014148113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.650{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014148112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.649{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014148111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.649{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014148110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.648{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014148109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.647{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014148108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.647{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014148107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.647{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014148106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.646{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.645{8B6011A9-51ED-6143-1600-00000000F001}13242576C:\Windows\System32\svchost.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.645{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014148103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.644{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014148102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.644{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014148101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.641{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014148100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.641{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014148099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.640{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014148098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.640{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014148097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.639{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014148096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.639{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014148095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.639{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014148094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.639{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014148093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.638{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014148092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.638{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014148091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.638{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014148090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.637{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014148089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.637{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014148088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.637{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014148087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.637{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 534500x800000000000000014148086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.636{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exe 734700x800000000000000014148085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.636{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014148084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.636{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014148083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.636{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014148082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.634{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014148081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.634{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014148080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.633{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014148079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.633{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014148078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.633{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014148077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.633{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014148076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.632{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014148075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.632{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014148074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.632{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014148073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.631{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014148072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.631{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014148071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.631{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014148070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.630{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014148069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.629{8B6011A9-BA24-6154-0D1A-02000000F001}74567528C:\Windows\System32\WScript.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014148068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.629{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014148067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.626{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014148066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.625{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014148065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.621{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014148052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.612{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014148051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.610{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014148050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.608{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014148049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.608{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014148048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.607{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014148047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.607{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014148046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.607{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000014148045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.607{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014148044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.360{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014148043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.360{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014148042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.359{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014148041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.254{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000014148040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.243{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.243{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.243{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.242{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.242{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.242{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014148034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.241{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014148033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014148032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014148031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014148030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014148029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014148028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014148027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014148026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014148025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014148024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014148023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014148022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014148021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014148020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014148019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.238{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014148018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.236{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014148017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.234{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014148016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.221{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014148015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.221{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014148014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.212{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014148013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014148012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.206{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014148004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.205{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014148003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.203{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014148002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.203{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014148001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.203{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000014147999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.202{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000014147998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.202{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014147997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014147996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014147995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014147994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014147993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014147992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014147991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000014147990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 13241300x800000000000000014147989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.199{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014147988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.199{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014147987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.198{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014147986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.198{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014147985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.198{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014147984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.198{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014147983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.197{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014147982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.191{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014147981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.191{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014147980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.189{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014147979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.184{8B6011A9-51EB-6143-0B00-00000000F001}6328352C:\Windows\system32\lsass.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.184{8B6011A9-51EB-6143-0B00-00000000F001}6328352C:\Windows\system32\lsass.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014147977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.184{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014147976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.180{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014147975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.180{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014147974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.179{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014147973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.179{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014147972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.179{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014147971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.178{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014147970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.177{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014147969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.176{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014147968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.174{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014147967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.173{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014147966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.173{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014147965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.172{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014147964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.172{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014147963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.172{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014147962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.170{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014147961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.169{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014147960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.169{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014147959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.168{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000014147958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.168{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014147957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.167{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014147956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.167{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014147955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.167{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014147954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.166{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014147953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.164{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014147952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.162{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014147951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.161{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014147950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.161{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014147949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.160{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014147948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.160{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014147947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.159{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014147946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.158{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014147944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.156{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014147943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.145{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014147942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.144{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014147941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.144{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014147940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.144{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.143{8B6011A9-51ED-6143-1600-00000000F001}13242576C:\Windows\System32\svchost.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.142{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014147937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.142{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014147936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.142{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014147935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.139{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000014147934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.139{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014147933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.138{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014147932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.138{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014147931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.138{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014147930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.137{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014147929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.137{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014147928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.137{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014147927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.137{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014147926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.137{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014147925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.136{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014147924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.136{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014147923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.125{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014147922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.124{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014147921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.124{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014147920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.124{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014147919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.123{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014147918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.122{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014147917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.117{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 13241300x800000000000000014147907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.106{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b565-0xaa1ce199) 734700x800000000000000014147896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.102{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000014147895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.101{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014147894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.100{8B6011A9-EF7D-6151-C8C2-01000000F001}86488804C:\Windows\explorer.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014147893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.100{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 10341000x800000000000000014148501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.807{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.807{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.806{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014148409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.242{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014148405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:29.238{8B6011A9-BA25-6154-0F1A-02000000F001}1148C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014148403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.238{8B6011A9-BA25-6154-0F1A-02000000F001}1148C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014148354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.214{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000014148352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.213{8B6011A9-BA24-6154-0E1A-02000000F001}27802248C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA25-6154-0F1A-02000000F001}1148C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014148351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.213{8B6011A9-BA25-6154-0F1A-02000000F001}1148C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014148350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.209{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014148349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:29.209{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000014148348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:29.199{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014148347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:29.199{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014148346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.199{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014148345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.197{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014148318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.181{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014148317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.180{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014148316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.178{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014148315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.178{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000014148314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:29.177{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014148313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:29.177{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014148312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.177{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014148311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.176{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 10341000x800000000000000014148595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:30.829{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:30.829{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:30.829{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000014148504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:44.016{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62390-false172.67.68.88-443https 22542200x800000000000000014148503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:45.092{8B6011A9-BA24-6154-0E1A-02000000F001}2780paste.ee0::ffff:172.67.68.88;::ffff:104.26.5.223;::ffff:104.26.4.223;C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014148822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.855{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a9f81|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.855{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a9f6e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.855{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Users\Administrator\Downloads\procexp64.exe+a9e0f|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.850{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\winsta.dll+1178|C:\Windows\SYSTEM32\winsta.dll+10b5|C:\Users\Administrator\Downloads\procexp64.exe+a5184|C:\Users\Administrator\Downloads\procexp64.exe+a951e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.850{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a9381|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.850{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014148729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.499{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014148728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.499{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 13241300x800000000000000014148724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:31.266{8B6011A9-BA27-6154-111A-02000000F001}8284C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014148722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.266{8B6011A9-BA27-6154-111A-02000000F001}8284C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014148716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.259{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014148715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.257{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014148713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.257{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 12241200x800000000000000014148710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.256{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.256{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.256{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.256{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014148705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.256{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014148703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.255{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 12241200x800000000000000014148702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.255{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.255{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.255{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014148699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.255{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014148698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.254{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014148697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.254{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014148695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.254{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014148692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.253{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014148687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.252{8B6011A9-51EB-6143-0B00-00000000F001}6328352C:\Windows\system32\lsass.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.252{8B6011A9-51EB-6143-0B00-00000000F001}6328352C:\Windows\system32\lsass.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014148682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:31.251{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014148681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.251{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014148680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:31.251{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014148679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.251{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014148677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.251{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014148664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.247{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014148661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.247{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014148660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.247{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014148659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014148658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014148657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014148656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014148655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014148654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014148653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.245{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014148651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.245{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014148650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.245{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014148649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.245{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014148648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.244{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014148646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.244{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014148644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.244{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014148643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.243{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014148641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.243{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014148638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.243{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014148636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.242{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014148633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.242{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014148631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.241{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014148630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.241{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014148628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.241{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014148626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.241{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014148624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.240{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014148623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.240{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014148622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.240{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000014148620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.239{8B6011A9-BA24-6154-0E1A-02000000F001}278010156C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA27-6154-111A-02000000F001}8284C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000014148619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.239{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 154100x800000000000000014148618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.239{8B6011A9-BA27-6154-111A-02000000F001}8284C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014148617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.239{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014148616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.239{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014148615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.238{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014148614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.237{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014148613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.237{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014148612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.236{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014148611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.236{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014148610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.236{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014148609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.236{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014148608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.236{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014148607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.236{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014148606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.235{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014148605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.235{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014148604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.234{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014148603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.234{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014148602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.234{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014148601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.231{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014148600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.231{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005C40169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000008104580) 154100x800000000000000014148599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.231{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 10341000x800000000000000014149079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.896{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.896{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.896{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.895{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.881{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.880{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.880{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.880{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.917{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.917{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.916{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.916{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000014149187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:46.788{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62392-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 13241300x800000000000000014149183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:33.303{8B6011A9-BA29-6154-131A-02000000F001}7208C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014149181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.303{8B6011A9-BA29-6154-131A-02000000F001}7208C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014149164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.290{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exe 734700x800000000000000014149147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.286{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014149143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.285{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014149142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.285{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014149141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.285{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014149140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.284{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014149139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.284{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014149138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.284{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014149137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.284{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014149136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.283{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014149134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.283{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014149133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.283{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014149132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.283{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014149131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.282{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014149129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.282{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014149127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.282{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014149126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.281{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014149124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.281{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014149122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.281{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014149119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.280{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014149117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.280{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014149114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.279{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014149113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.279{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014149111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.279{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014149108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.278{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014149107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.278{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014149106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.278{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014149105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.277{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 10341000x800000000000000014149103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.277{8B6011A9-BA24-6154-0E1A-02000000F001}27807376C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA29-6154-131A-02000000F001}7208C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000014149102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.277{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 154100x800000000000000014149101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.277{8B6011A9-BA29-6154-131A-02000000F001}7208C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014149100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.277{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014149099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.277{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014149098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.276{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014149097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.275{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014149096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.275{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014149095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.274{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014149094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:33.274{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014149093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:33.274{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014149092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.274{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014149091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.274{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014149090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.274{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014149089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.273{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014149088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.273{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014149087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.273{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014149086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.272{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014149085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.272{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014149084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.272{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014149083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.269{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014149082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.269{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000070F0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000081045B0) 154100x800000000000000014149081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.269{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 22542200x800000000000000014149080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:47.632{8B6011A9-BA27-6154-101A-02000000F001}9976snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 10341000x800000000000000014149371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:34.937{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:34.937{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.957{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x800000000000000014149466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.375{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014149463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.355{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014149462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.355{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014149461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014149460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014149459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014149458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014149457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014149456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014149455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014149454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.353{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014149453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.353{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014149452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.353{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014149451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.353{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014149450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.353{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014149449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.353{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014149448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.352{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014149447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.352{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000014149446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-29 19:10:35.351{8B6011A9-BA24-6154-0E1A-02000000F001}2780\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014149445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.351{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000014149444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.350{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000014149443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014149442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014149441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014149440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014149439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014149438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014149437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014149436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014149435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.346{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014149434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.346{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014149433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.346{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014149432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.346{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014149431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.345{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000014149430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.345{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014149429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.345{8B6011A9-BA24-6154-0E1A-02000000F001}2780ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014149428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.343{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014149427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.343{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014149426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.343{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014149425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.343{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014149424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.343{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014149423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.342{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014149422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.342{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014149421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.339{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000014149420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.338{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014149419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.337{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000014149418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.329{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exe 734700x800000000000000014149417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.325{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014149416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.325{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014149415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.325{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014149414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.324{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014149413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.324{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014149412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.324{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014149411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.324{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014149410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.324{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014149409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.323{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014149408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.323{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014149407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.323{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014149406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.323{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014149405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.322{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014149404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.322{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014149403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.322{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014149402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.322{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014149401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.321{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014149400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.321{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014149399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.321{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014149398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.320{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014149397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.320{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014149396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.320{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014149395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.319{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014149394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.319{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014149393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.319{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014149392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.319{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014149391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.318{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014149390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.318{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014149389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.318{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014149388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.317{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014149387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.317{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014149386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.316{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014149385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.316{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014149384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.315{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014149383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.315{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014149382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.315{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014149381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.314{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014149380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.314{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014149379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.314{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014149378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.314{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014149377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.313{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014149376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.313{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014149375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.313{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014149374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.310{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014149373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.310{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000007250169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000081045C8) 154100x800000000000000014149372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.310{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 10341000x800000000000000014149643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:36.976{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:38.010{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:39.029{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:40.053{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:41.074{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:42.093{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:43.126{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:43.114{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:43.114{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:44.144{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:45.165{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:46.191{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:47.208{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:48.226{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:49.245{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:50.263{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:51.282{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:52.301{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:53.336{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:53.325{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:53.325{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:54.356{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:55.375{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:56.394{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:57.413{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:58.433{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:59.526{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:00.545{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:01.564{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:02.584{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:03.623{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:03.608{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:03.608{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:04.659{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:05.679{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:06.700{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:07.722{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:08.743{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:09.764{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:10.784{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:11.804{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:12.823{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:13.863{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:13.845{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:13.845{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:14.882{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:15.901{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:16.920{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:17.942{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:18.964{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:19.983{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:21.002{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:22.021{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:23.040{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:24.075{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:24.061{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:24.061{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:25.108{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:26.125{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:27.145{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:28.164{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:29.186{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:30.205{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:31.224{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:32.246{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:33.270{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:34.308{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:34.296{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:34.296{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:35.326{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:36.345{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:37.363{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:38.382{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:39.400{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:40.422{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:41.441{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:42.462{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:43.483{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:44.527{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:44.511{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:44.511{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:45.544{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:46.563{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:47.581{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:48.599{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:49.617{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:50.636{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:51.653{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:52.672{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:53.690{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:54.724{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:54.712{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:54.711{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:55.744{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:56.766{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:57.786{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:58.804{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:59.826{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:00.845{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:01.863{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:02.882{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:03.901{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:04.936{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:04.925{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:04.925{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:05.954{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:06.973{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:07.992{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:09.016{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:10.034{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:11.054{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:12.072{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:13.094{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:14.113{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:15.153{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:15.136{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:15.136{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:16.172{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:17.191{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:18.210{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:19.231{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:20.252{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:21.272{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:22.296{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:23.316{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:24.335{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:25.374{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:25.362{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:25.362{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:26.391{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:27.410{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:28.429{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:29.448{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:30.467{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:31.486{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:32.504{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:33.523{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:34.543{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:35.582{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:35.569{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:35.569{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:36.601{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:37.621{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:38.639{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:39.658{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:40.678{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:41.696{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:42.717{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:43.736{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:44.754{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:45.787{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:45.775{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:45.775{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:46.805{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:47.824{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:48.842{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:49.862{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:50.879{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:51.897{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:52.917{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:53.935{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:54.954{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:55.992{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:55.980{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:55.980{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:57.010{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:58.028{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:59.047{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:00.066{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:01.084{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:02.107{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:03.127{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:04.145{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:05.164{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:06.198{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:06.187{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:06.187{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:07.217{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:08.237{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:09.257{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:10.275{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:11.299{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:12.318{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000014166990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:24.749{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62473-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 10341000x800000000000000014167164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:13.338{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:14.357{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:15.376{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:16.409{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:16.397{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:16.397{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:17.428{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x800000000000000014167909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.315{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exe 23542300x800000000000000014167908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.313{8B6011A9-BACE-6154-281A-02000000F001}8464ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tgmby.vbsMD5=2FCC53839A07381C433BEBE1F3BD1B7F,SHA256=71F0A43E515536C7786776AEAEDB1087E4675D4E7EDC83B36BC89327CF2571DDfalsetrue 734700x800000000000000014167907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.312{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014167906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.311{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014167905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.310{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014167904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.308{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014167903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.308{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014167902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.307{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014167901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.307{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014167900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.307{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014167899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.307{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014167898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.306{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014167897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.306{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014167896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.305{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014167895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.305{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014167894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.304{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014167893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.303{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014167892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.303{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014167891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.302{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014167890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.300{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014167889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.300{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014167888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.300{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014167887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.300{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014167886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.299{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014167885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.298{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014167884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.297{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014167883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.297{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014167882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.295{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014167871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.289{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014167861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.295{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014167856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.294{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014167855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.294{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014167854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.293{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.292{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.292{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014167851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.292{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014167849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.291{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014167845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.288{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014167823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.287{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014167822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.287{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014167821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.287{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014167820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.287{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014167819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.286{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014167818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.286{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014167817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.286{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014167816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.286{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014167815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.285{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014167814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.285{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014167813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.285{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014167812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.285{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014167811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.284{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014167810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.284{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014167809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.284{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014167808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.284{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014167807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.282{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014167806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.282{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014167805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.281{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 534500x800000000000000014167804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.281{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe 734700x800000000000000014167803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.281{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014167802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.281{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014167801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.280{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014167795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.280{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014167791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.264{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014167780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.280{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014167774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.279{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014167773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.279{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 12241200x800000000000000014167772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.279{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000014167771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.279{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 734700x800000000000000014167770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.279{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014167769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.278{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014167768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.278{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014167767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.277{8B6011A9-BA27-6154-101A-02000000F001}99766884C:\Windows\winhlp32.exe{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014167766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.278{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\2\tgmby.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 13241300x800000000000000014167765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:13:18.274{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014167764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:13:18.274{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014167763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:13:18.274{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014167762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:13:18.274{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014167761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.273{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014167759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.248{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 12241200x800000000000000014167740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.265{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList 12241200x800000000000000014167734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.263{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\RegisteredApplications 12241200x800000000000000014167733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.263{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\SOFTWARE\RegisteredApplications 13241300x800000000000000014167732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:13:18.263{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFileBinary Data 12241200x800000000000000014167731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.263{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids 12241200x800000000000000014167730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.263{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x800000000000000014167728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.261{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014167727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.259{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014167726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.258{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014167723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.247{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014167699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.252{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014167698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.250{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014167697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.249{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014167696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.249{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 10341000x800000000000000014167695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.248{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.248{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000014167689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tgmby.vbs2021-09-29 19:13:18.245 12241200x800000000000000014167688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-09-29 19:13:18.245{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014209038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.858{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 734700x800000000000000014209011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.847{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014208986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.844{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014208961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.861{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014208958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.859{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014208957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.843{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 12241200x800000000000000014208926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:30.853{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014208924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.853{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014208923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.852{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014208921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.851{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014208920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.851{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014208916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.848{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014208915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.848{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014208914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.847{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014208897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.835{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014208896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.834{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014208895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.831{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014208894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.831{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014208890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:30.825{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014208888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:30.825{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014208887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.820{8B6011A9-51ED-6143-0C00-00000000F001}8528212C:\Windows\system32\svchost.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014208885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.814{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014208884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.813{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014208883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.813{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014208882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.812{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014208877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.785{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 734700x800000000000000014208875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.797{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 13241300x800000000000000014208856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:30.795{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b566-0xed949d6e) 734700x800000000000000014208848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.794{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014208847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.793{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014208846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.793{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014208845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.793{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014208844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.792{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014208843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.792{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014208842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.792{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014208840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.791{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014208839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.791{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014208837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.791{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014208836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.790{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014208834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.790{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014208833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.789{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014208831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.789{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014208830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.788{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014208827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.787{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014208824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.787{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014208820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.786{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000014208819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.783{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014208818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.783{8B6011A9-EF7D-6151-C8C2-01000000F001}86487512C:\Windows\explorer.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014208817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.781{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 734700x800000000000000014209407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.993{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014209405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.973{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 534500x800000000000000014209381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.981{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exe 734700x800000000000000014209377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.973{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000014209376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.972{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014209375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.971{8B6011A9-BC42-6154-611A-02000000F001}77126668C:\Windows\System32\WScript.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014209374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.970{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014209373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.962{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014209372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.959{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014209371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.949{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014209286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.826{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014209285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.815{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014209284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.803{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014209274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.812{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014209259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.809{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014209257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.807{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014209256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.807{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014209255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.807{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000014209252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.552{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014209225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.551{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014209200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.550{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014209173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.419{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000014209172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.405{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014209171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.405{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014209170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.404{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014209169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.404{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014209168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.404{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014209167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.404{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014209166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.402{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014209165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.401{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014209164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014209163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014209162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014209161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014209160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014209159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014209158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014209157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014209156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.399{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014209155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.399{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014209154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.399{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014209153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.398{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014209152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.390{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014209151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.367{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014209150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.367{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014209149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.366{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014209146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.350{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014209145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.350{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014209144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.335{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000014209143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.154{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014209142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.154{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014209141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.154{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014209140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.154{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014209139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.153{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014209138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.153{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014209137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.153{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014209136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.153{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014209135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.150{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014209134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.149{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014209133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.142{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014209132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.141{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014209131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.140{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014209129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.137{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014209128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.136{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014209127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.136{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014209126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.136{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014209125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.136{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014209124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.136{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014209123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.136{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014209122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.135{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014209121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.135{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014209120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.134{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014209119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.134{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014209118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.134{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000014209117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.134{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 12241200x800000000000000014209116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.133{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014209115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.133{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014209114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.132{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000014209113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.107{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014209112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.131{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014209110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.130{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014209103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.130{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014209086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.127{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014209084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.122{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014209083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.122{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014209082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.122{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014209081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.113{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014209080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.111{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014209079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.110{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014209078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.110{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014209077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.110{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014209076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.109{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014209073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.091{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014209046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.084{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014209045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.084{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014209044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.083{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014209043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.083{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014209042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.080{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014209041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.026{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014209040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.026{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014211353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.956{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014211326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.951{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014211280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.949{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 734700x800000000000000014211241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.947{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014211214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.944{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 12241200x800000000000000014211189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.948{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014211188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.948{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014211185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.652{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014211158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.651{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014211133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.650{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014211106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.522{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 734700x800000000000000014211081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.506{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 734700x800000000000000014211054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.500{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014211027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.498{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014211002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.496{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014210977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.495{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 734700x800000000000000014210950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.478{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014210923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.465{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014210896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.461{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014210869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.457{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014210844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014210819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.444{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 734700x800000000000000014210794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.442{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x800000000000000014210769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.439{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014210742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.438{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014210717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.436{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014210690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.434{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014210665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.413{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014210638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.412{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014210613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.395{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014210588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.395{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014210563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.394{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014210536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.380{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 13241300x800000000000000014210511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.509{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014210510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.508{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014210509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.508{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014210508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.508{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014210505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.366{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 12241200x800000000000000014210495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.503{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014210491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.503{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014210486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014210484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014210482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014210479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014210476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014210475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014210473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014210472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.501{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014210471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.501{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014210470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.501{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014210469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.501{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014210465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.360{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014210440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.359{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014210415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.355{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 12241200x800000000000000014210391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.479{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014210389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.352{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014210364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.350{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 12241200x800000000000000014210340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.462{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.461{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.461{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.461{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.461{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.460{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.460{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.457{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 13241300x800000000000000014210332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.450{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014210331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.449{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014210330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.449{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014210328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014210327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014210326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014210325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014210324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014210323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014210322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014210321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.444{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014210320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.444{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014210319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.442{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014210318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.442{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014210317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.440{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014210316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.440{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014210314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.306{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 10341000x800000000000000014210290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.426{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014210289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.426{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014210287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.304{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014210263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.415{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014210259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.146{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014210232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.144{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014210207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.141{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 734700x800000000000000014210180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.137{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014210155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.136{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014210130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.134{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014210105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.131{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014210080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.130{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014210055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.130{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014210030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.128{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014210003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.127{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014209976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.114{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014209951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.099{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014209924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.082{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014209899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.075{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014209874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.071{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 12241200x800000000000000014209850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.138{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014209848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.066{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014209824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.130{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014209823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.122{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014209822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.121{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014209820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.055{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014209819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.120{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014209818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.119{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014209808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.118{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014209806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.118{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014209792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.117{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014209791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.115{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014209790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.115{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014209789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.115{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014209787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.053{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014209763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.109{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014209761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.052{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014209760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.107{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014209757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.106{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014209734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.040{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014209709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.037{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014209684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.037{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014209659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.035{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014209634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.028{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014209609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.026{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014209584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.020{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014209559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.015{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014209534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.000{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014209509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.999{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014209508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.001{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014209483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.993{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014209458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.989{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014209433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.986{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014209432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.999{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014209431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.999{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 354300x800000000000000014211766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:47.773{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62528-false104.26.5.223-443https 734700x800000000000000014211753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.160{8B6011A9-BC45-6154-641A-02000000F001}4740C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014211752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.165{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014211641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:33.161{8B6011A9-BC45-6154-641A-02000000F001}4740C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014211470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.057{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000014211443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.043{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 10341000x800000000000000014211433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.051{8B6011A9-BC43-6154-631A-02000000F001}9204520C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC45-6154-641A-02000000F001}4740C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014211431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.051{8B6011A9-BC45-6154-641A-02000000F001}4740C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 12241200x800000000000000014211413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:33.040{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014211412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.017{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 12241200x800000000000000014211387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:33.018{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014211385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:33.018{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014211383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.964{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014211358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.002{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014212109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.471{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014212108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.470{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014212107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.219{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014212080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.218{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 734700x800000000000000014212053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.214{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014212026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.209{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014212002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.232{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014212000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.202{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014211999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.230{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014211998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.229{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 12241200x800000000000000014211973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.220{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014211972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.220{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014211971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.219{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014211970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.219{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014211968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.217{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014211965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.217{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x800000000000000014211964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:35.216{8B6011A9-BC47-6154-661A-02000000F001}9344C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 12241200x800000000000000014211962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.216{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014211961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.216{8B6011A9-BC47-6154-661A-02000000F001}9344C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014211960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.216{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014211959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.215{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014211957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.215{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014211953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.213{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014211952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.211{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014211951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.210{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014211950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:35.209{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014211949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.209{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014211948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:35.209{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014211947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.209{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014211943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.190{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014211942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.190{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 22542200x800000000000000014211913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:48.847{8B6011A9-BC43-6154-631A-02000000F001}920paste.ee0::ffff:104.26.5.223;::ffff:172.67.68.88;::ffff:104.26.4.223;C:\Windows\SysWOW64\wscript.exe 734700x800000000000000014211911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.203{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014211897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.188{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014211856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.188{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014211854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.187{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014211853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.187{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014211851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.187{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014211848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.186{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014211846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.186{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014211844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.185{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014211842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.185{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014211840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.185{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014211839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.184{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014211837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.184{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014211834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.183{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014211833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.183{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014211832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.182{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014211830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.182{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 10341000x800000000000000014211829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.182{8B6011A9-BC43-6154-631A-02000000F001}9205244C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC47-6154-661A-02000000F001}9344C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014211828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.182{8B6011A9-BC47-6154-661A-02000000F001}9344C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014211827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.181{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014211826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.181{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014211825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.180{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014211824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.180{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014211823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.171{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 734700x800000000000000014211821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.180{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014211817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.179{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014211812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.179{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014211808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.178{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014211804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.178{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014211797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.178{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014211794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.177{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014211792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.176{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014211791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.175{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 12241200x800000000000000014211790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.175{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014211789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.175{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014211788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.175{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014211786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.174{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014211785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.174{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014211784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.173{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014211783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.173{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014211782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.172{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014211780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.172{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014211778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.171{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014211777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.171{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000014211776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.168{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014211775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.168{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005230169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000009CA1F8) 154100x800000000000000014211774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.168{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 354300x800000000000000014212959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:50.768{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62530-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 10341000x800000000000000014212750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.451{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+ca9c|C:\Windows\system32\winsrv.DLL+e3bc|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014212749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.451{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+e279|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014212745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.449{8B6011A9-BC1B-6154-561A-02000000F001}82202828C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe{8B6011A9-BC49-6154-681A-02000000F001}6968C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\SYSTEM32\dbghelp.dll+e879d|C:\Windows\SYSTEM32\dbghelp.dll+dffbd|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+b0556|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+ae7c7|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+89132|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+85a2e|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+76583|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+2e9e3|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+7676b|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+74951|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+cdb40|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014212744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.449{8B6011A9-BC1B-6154-561A-02000000F001}82202828C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe{8B6011A9-BC49-6154-681A-02000000F001}6968C:\Windows\winhlp32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\dbghelp.dll+c171e|C:\Windows\SYSTEM32\dbghelp.dll+e8775|C:\Windows\SYSTEM32\dbghelp.dll+dffbd|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+b0556|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+ae7c7|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+89132|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+85a2e|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+76583|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+2e9e3|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+7676b|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+74951|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+cdb40|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014212743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.449{8B6011A9-BC1B-6154-561A-02000000F001}82202828C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe{8B6011A9-BC49-6154-681A-02000000F001}6968C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+b049c|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+ae7c7|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+89132|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+85a2e|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+76583|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+2e9e3|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+7676b|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+74951|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+cdb40|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014212729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.448{8B6011A9-BC1B-6154-561A-02000000F001}82202828C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe{8B6011A9-BC49-6154-681A-02000000F001}6968C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+ae682|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+89132|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+85a2e|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+76583|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+2e9e3|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+7676b|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+74951|C:\Users\ADMINI~1\AppData\Local\Temp\2\Procmon64.exe+cdb40|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014212726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.448{8B6011A9-BC49-6154-6B1A-02000000F001}85888576C:\Windows\SysWOW64\WerFault.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014212717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.447{8B6011A9-BC49-6154-6B1A-02000000F001}85888576C:\Windows\SysWOW64\WerFault.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014212716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.447{8B6011A9-BC49-6154-6B1A-02000000F001}85888576C:\Windows\SysWOW64\WerFault.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014212714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.446{8B6011A9-BC49-6154-6B1A-02000000F001}85888576C:\Windows\SysWOW64\WerFault.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014212713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.446{8B6011A9-BC49-6154-6B1A-02000000F001}85888576C:\Windows\SysWOW64\WerFault.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014212712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.446{8B6011A9-BC49-6154-6B1A-02000000F001}85888576C:\Windows\SysWOW64\WerFault.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014212708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.444{8B6011A9-BC49-6154-6B1A-02000000F001}85888576C:\Windows\SysWOW64\WerFault.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014212707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.444{8B6011A9-BC49-6154-6B1A-02000000F001}85888576C:\Windows\SysWOW64\WerFault.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000014212468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.364{8B6011A9-BC49-6154-6B1A-02000000F001}8588C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 84C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x800000000000000014212412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.350{8B6011A9-BC49-6154-6A1A-02000000F001}60766384C:\Windows\System32\svchost.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014212411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.350{8B6011A9-BC49-6154-6A1A-02000000F001}60766384C:\Windows\System32\svchost.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014212410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.350{8B6011A9-BC49-6154-6A1A-02000000F001}60766384C:\Windows\System32\svchost.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014212218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:37.268{8B6011A9-BC49-6154-691A-02000000F001}9176C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014212216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.267{8B6011A9-BC49-6154-691A-02000000F001}9176C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 10341000x800000000000000014212133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.236{8B6011A9-BC43-6154-631A-02000000F001}9209780C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC49-6154-691A-02000000F001}9176C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014212131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.236{8B6011A9-BC49-6154-691A-02000000F001}9176C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 10341000x800000000000000014212129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.235{8B6011A9-BC49-6154-671A-02000000F001}65646724C:\Windows\winhlp32.exe{8B6011A9-BC49-6154-681A-02000000F001}6968C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|UNKNOWN(0000000076FDEF6C)|UNKNOWN(000000007705CF02)|UNKNOWN(000000007701F19A)|UNKNOWN(000000007701E602)|UNKNOWN(000000007701E24A)|UNKNOWN(00000000770167D2)|UNKNOWN(0000000076FD7FC0) 12241200x800000000000000014212128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:37.230{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014212127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:37.230{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014212126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.230{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014212125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.229{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014212124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.229{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014212123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.229{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014212122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.228{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014212121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.228{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014212120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.228{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014212119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.227{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014212118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.227{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014212117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.226{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014212116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.224{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014212115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.224{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005350169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000009CA1F8) 154100x800000000000000014212114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:37.224{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 22542200x800000000000000014212113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:51.613{8B6011A9-BC47-6154-651A-02000000F001}6472snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 734700x800000000000000014213202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.344{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 534500x800000000000000014213190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.407{8B6011A9-BC49-6154-671A-02000000F001}6564C:\Windows\winhlp32.exe 534500x800000000000000014213172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.387{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exe 734700x800000000000000014213167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.343{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 10341000x800000000000000014213139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.349{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014213138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.349{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014213137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.349{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014213136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.348{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014213135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.347{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014213134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.347{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014213133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.347{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014213132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.347{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014213131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.347{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014213130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.347{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014213129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.347{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014213128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.347{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014213127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.345{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014213126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.345{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014213125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.345{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014213123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.345{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014213121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.336{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 18141800x800000000000000014213120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-29 19:19:39.343{8B6011A9-BC43-6154-631A-02000000F001}920\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014213093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.324{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 10341000x800000000000000014213069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.326{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014213068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.326{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014213067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.326{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014213066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.326{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014213065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.326{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014213064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.326{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014213063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.326{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014213062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.325{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014213061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.325{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014213060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.325{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014213059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.325{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014213058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.325{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014213056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.312{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 11241100x800000000000000014213055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.323{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014213054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.322{8B6011A9-BC43-6154-631A-02000000F001}920ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 734700x800000000000000014213051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.308{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 10341000x800000000000000014213050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.319{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014213049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.319{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014213048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.319{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014213047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.319{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014213046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.319{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014213045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.319{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014213044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.319{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014213018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.309{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 534500x800000000000000014213012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.293{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exe 734700x800000000000000014213011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.288{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014213010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.287{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014213009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.287{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014213008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.286{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014213007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.286{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014213006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.286{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014213005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.286{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014213004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.286{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014213003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.286{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014213002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.285{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014213001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.285{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014213000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.285{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014212999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.284{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014212998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.284{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014212997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.284{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014212996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.284{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014212995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.283{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014212994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.283{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014212993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.283{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014212992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.282{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014212991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.282{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014212990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.281{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014212989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.281{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014212988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.281{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014212987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.281{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014212986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.280{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014212985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.280{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014212984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.279{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014212983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.279{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014212982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.279{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014212981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.279{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014212980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.277{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014212979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.277{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014212978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.276{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014212977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.276{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014212976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.276{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014212975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.276{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014212974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.275{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014212973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.275{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014212972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.275{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014212971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.274{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014212970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.274{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014212969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.273{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014212968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.271{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014212967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.270{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005660169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000009CA1F8) 154100x800000000000000014212966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:39.271{8B6011A9-BC4B-6154-6C1A-02000000F001}6400C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014215575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.992{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000014215574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.979{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014215573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.979{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014215572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.978{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014215571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.978{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014215570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.976{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000014215569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.975{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014215568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.975{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014215567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.975{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014215566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.975{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014215565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.975{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014215564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.975{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014215563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.974{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014215562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.974{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014215561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.974{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014215560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.974{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014215559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.974{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014215558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.974{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014215557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.973{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014215556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.973{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014215555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.971{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014215554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.971{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014215553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.970{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000014215552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.956{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014215551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.956{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014215550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.946{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 12241200x800000000000000014215549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.945{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014215548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.944{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014215547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.944{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000014215546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.944{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014215545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.944{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014215544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.944{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014215543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.944{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014215542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.943{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014215541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.940{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014215540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.940{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000014215539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.937{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014215538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.937{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014215537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.936{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014215535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.933{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014215534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.933{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014215533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.933{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014215532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.933{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014215531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.933{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014215530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.933{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014215529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.932{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014215528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.932{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014215527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.932{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014215526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.930{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014215525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.930{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014215524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.930{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014215523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.929{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000014215522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.929{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014215521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.928{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014215520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.928{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x800000000000000014215519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.927{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014215518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.922{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014215517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.921{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014215516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.919{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000014215515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.915{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014215514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.915{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014215513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.906{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014215512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.903{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014215511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.874{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014215510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.874{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014215509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.874{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014215508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.874{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014215507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.871{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014215506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.870{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014215505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.865{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014215504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.865{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014215503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.865{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014215502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.865{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014215501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.864{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014215500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.864{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014215499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.864{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014215498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.863{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014215497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.862{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014215496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.862{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014215495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.859{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014215494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.859{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014215493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.858{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014215492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.858{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014215491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.855{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014215490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.854{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014215489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.854{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014215488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.854{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014215487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.851{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014215486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.851{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014215485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.849{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014215484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.844{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014215483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.842{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014215482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.832{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 734700x800000000000000014215481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.776{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 12241200x800000000000000014215477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.827{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014215475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.827{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014215460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.825{8B6011A9-51ED-6143-0C00-00000000F001}8527252C:\Windows\system32\svchost.exe{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014215454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.823{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014215453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.823{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014215452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.822{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014215451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.822{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014215450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.817{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014215442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.816{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014215441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.815{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014215440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.814{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014215439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.814{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014215438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.813{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014215437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.813{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014215436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.812{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014215434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.812{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014215433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.811{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014215432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.811{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014215431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.810{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014215430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.810{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014215429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.762{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 534500x800000000000000014215426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.810{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exe 734700x800000000000000014215425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.810{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014215419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.809{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014215414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.809{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014215410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.808{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014215405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.808{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014215398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.806{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014215397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.805{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014215392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.804{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014215391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.804{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014215390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.803{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014215389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.803{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014215388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.803{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014215387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.802{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014215386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.802{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014215385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.801{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014215384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.801{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014215383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.800{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014215382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.799{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014215381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.799{8B6011A9-BC7B-6154-741A-02000000F001}6728600C:\Windows\System32\WScript.exe{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014215380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.799{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014215377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.759{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014215376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.790{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014215361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.789{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014215348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.757{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014215321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.755{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x800000000000000014215282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.753{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 12241200x800000000000000014215256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.754{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014215254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.754{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014215253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.753{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014215252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.373{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 734700x800000000000000014215227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.356{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 734700x800000000000000014215200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.351{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014215173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.349{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014215148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.347{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014215123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.346{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 734700x800000000000000014215096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.331{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014215069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.320{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014215042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.316{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 734700x800000000000000014215015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.303{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 734700x800000000000000014214990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.301{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000014214965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.290{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014214940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.489{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014214939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.488{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014214938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.488{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014214935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.258{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014214910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.258{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014214885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.257{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014214860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.257{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014214835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.257{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014214808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.256{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014214783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.254{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 13241300x800000000000000014214759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.359{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014214758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.358{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014214757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.358{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014214756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.358{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014214755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.358{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014214754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.358{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x800000000000000014214753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.353{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014214752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.353{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014214751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.353{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014214750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.353{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014214749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.353{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014214748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.353{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014214747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.353{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014214746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.353{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014214745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.352{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014214744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.352{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014214743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.352{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014214742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.352{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014214741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.352{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000014214740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.332{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 12241200x800000000000000014214739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.316{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014214738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.315{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014214737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.315{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014214736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.315{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014214735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.315{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014214734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.315{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014214733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.315{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014214732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.312{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014214731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.311{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014214730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.308{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014214729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.307{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014214728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.307{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014214726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.303{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014214725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.303{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014214724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.303{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014214723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.303{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014214722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.302{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014214721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.302{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014214720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.302{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014214719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.302{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 13241300x800000000000000014214718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.301{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014214717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.301{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014214716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.300{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014214715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.300{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014214714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.299{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014214713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.298{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014214712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.297{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014214711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.290{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014214710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.287{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014214709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.283{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014214708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.283{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014214707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.282{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014214705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.245{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014214680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.245{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014214673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.271{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014214655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.269{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014214654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.268{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014214653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.268{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014214652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.268{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014214651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.267{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014214650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.265{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014214649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.262{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014214647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.241{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014214637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.254{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014214623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.252{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014214621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.252{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000014214620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.250{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014214619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.250{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014214618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.249{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014214617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.249{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014214616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.248{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014214614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.235{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014214613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.246{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014214605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.245{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014214588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.243{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014214587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.242{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014214585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.221{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 734700x800000000000000014214561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.232{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014214559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.217{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 12241200x800000000000000014214534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.220{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014214533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:27.220{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014214530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.219{8B6011A9-51ED-6143-0C00-00000000F001}8527252C:\Windows\system32\svchost.exe{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014214529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.212{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 10341000x800000000000000014214523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.217{8B6011A9-51ED-6143-1600-00000000F001}13247708C:\Windows\System32\svchost.exe{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014214521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.217{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014214506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.216{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014214499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.210{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014214498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.210{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014214497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.209{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014214496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.209{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014214495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.208{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014214494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.208{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014214493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.208{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014214492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.207{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 13241300x800000000000000014214486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:27.197{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b567-0x0f32f8f6) 734700x800000000000000014214482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.195{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014214480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.194{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014214479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.194{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014214478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.193{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014214477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.193{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014214475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.193{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014214474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.193{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014214471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.191{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014214469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.191{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014214466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.190{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014214465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.190{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000014214464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.188{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014214463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.188{8B6011A9-EF7D-6151-C8C2-01000000F001}86488028C:\Windows\explorer.exe{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014214462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:27.188{8B6011A9-BC7B-6154-741A-02000000F001}6728C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 734700x800000000000000014215679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.508{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014215675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:28.504{8B6011A9-BC7C-6154-761A-02000000F001}8016C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014215673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.503{8B6011A9-BC7C-6154-761A-02000000F001}8016C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014215624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.473{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000014215622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.472{8B6011A9-BC7B-6154-751A-02000000F001}46929820C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC7C-6154-761A-02000000F001}8016C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014215621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.472{8B6011A9-BC7C-6154-761A-02000000F001}8016C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014215620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.465{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014215619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:28.463{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000014215618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:28.442{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014215617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:28.442{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014215616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.441{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014215615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.438{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014215588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.415{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014215587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.414{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014215586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.410{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014215585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.409{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000014215584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:28.408{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014215583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:28.408{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014215582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.408{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014215581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.407{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 734700x800000000000000014215578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.113{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014215577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.113{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014215576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:28.113{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 22542200x800000000000000014215684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:44.330{8B6011A9-BC7B-6154-751A-02000000F001}4692paste.ee0::ffff:104.26.5.223;::ffff:172.67.68.88;::ffff:104.26.4.223;C:\Windows\SysWOW64\wscript.exe 354300x800000000000000014215681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:43.254{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62558-false104.26.5.223-443https 13241300x800000000000000014215793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:30.549{8B6011A9-BC7E-6154-781A-02000000F001}8960C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014215791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.549{8B6011A9-BC7E-6154-781A-02000000F001}8960C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014215769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.531{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exe 734700x800000000000000014215754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.525{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014215753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.524{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014215752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.524{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014215751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.524{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014215749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.523{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014215748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.523{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014215747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.523{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014215746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.523{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014215745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.522{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014215744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.522{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014215742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.521{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014215740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.521{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014215739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.521{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014215737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.520{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014215735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.520{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014215733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.519{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014215731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.519{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014215729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.519{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014215727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.518{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014215725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.518{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014215721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.517{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014215720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.516{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014215719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.516{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014215717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.516{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 10341000x800000000000000014215716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.515{8B6011A9-BC7B-6154-751A-02000000F001}46929068C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC7E-6154-781A-02000000F001}8960C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000014215715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.515{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 154100x800000000000000014215714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.515{8B6011A9-BC7E-6154-781A-02000000F001}8960C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014215713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.515{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014215712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.514{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014215711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.514{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014215710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.513{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014215709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.513{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014215708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.513{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014215707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.511{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014215706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.511{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014215705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.510{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014215704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:30.510{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014215703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:30.510{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014215702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.510{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014215701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.509{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014215700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.509{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014215699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.508{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014215698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.508{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014215697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.507{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014215696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.507{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014215695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.506{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014215694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.506{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014215693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.503{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014215692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.503{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000007100169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000834B650) 154100x800000000000000014215691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:30.503{8B6011A9-BC7E-6154-771A-02000000F001}6056C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 13241300x800000000000000014215903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:20:32.679{8B6011A9-BC80-6154-7A1A-02000000F001}8240C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014215901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.678{8B6011A9-BC80-6154-7A1A-02000000F001}8240C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014215874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.659{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exe 734700x800000000000000014215863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.653{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014215862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.652{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014215860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.652{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014215859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.652{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014215858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.652{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014215856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.652{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014215855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.651{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014215854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.651{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014215853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.651{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014215851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.650{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014215849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.650{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014215847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.649{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014215844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.649{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014215843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.649{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014215841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.648{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014215839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.648{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014215838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.647{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014215834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.647{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014215833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.646{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014215831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.646{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 10341000x800000000000000014215830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.645{8B6011A9-BC7B-6154-751A-02000000F001}46929464C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC80-6154-7A1A-02000000F001}8240C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014215829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.645{8B6011A9-BC80-6154-7A1A-02000000F001}8240C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014215828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.645{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014215827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.645{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014215826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.645{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014215825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.644{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014215824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.644{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014215823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.643{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014215822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.643{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014215821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.642{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014215820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.642{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014215819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.641{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014215818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.640{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014215817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.640{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 12241200x800000000000000014215816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:32.639{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014215815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:20:32.639{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014215814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.639{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014215813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.638{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014215812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.638{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014215811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.637{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014215810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.637{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014215809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.636{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014215808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.636{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014215807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.635{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014215806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.635{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014215805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.634{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014215804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.632{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014215803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.631{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000074A0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000834B680) 154100x800000000000000014215802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:32.631{8B6011A9-BC80-6154-791A-02000000F001}8604C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 534500x800000000000000014216003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.855{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014216002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.800{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014216001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.800{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014216000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.800{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014215999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.800{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014215998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.799{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014215997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.799{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014215996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.799{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014215995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.799{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014215994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.799{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014215993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.799{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014215992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.798{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014215991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.798{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014215990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.797{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014215989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.797{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014215988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.797{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014215987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.797{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014215986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.796{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000014215985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-29 19:20:34.795{8B6011A9-BC7B-6154-751A-02000000F001}4692\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014215984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.795{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000014215983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.794{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000014215982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.787{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014215981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.787{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014215980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.787{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014215979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.787{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014215978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.787{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014215977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.787{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014215976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.786{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014215975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.786{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014215974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.786{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014215973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.786{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014215972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.786{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014215971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.786{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014215970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.785{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000014215969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.785{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014215968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.784{8B6011A9-BC7B-6154-751A-02000000F001}4692ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014215966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.781{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014215965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.781{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014215964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.781{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014215963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.781{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014215962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.780{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014215961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.780{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014215960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.780{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014215958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.774{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000014215957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.772{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014215956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.771{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000014215955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.766{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exe 734700x800000000000000014215954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.760{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014215953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.759{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014215952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.759{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014215951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.759{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014215950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.758{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014215949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.758{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014215948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.758{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014215947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.758{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014215946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.757{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014215945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.757{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014215944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.757{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014215943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.756{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014215942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.756{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014215941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.755{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014215940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.755{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014215939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.755{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014215938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.754{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014215937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.754{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014215936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.753{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014215935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.753{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014215934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.752{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014215933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.752{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014215932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.751{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014215931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.751{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014215930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.751{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014215929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.750{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014215928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.750{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014215927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.749{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014215926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.749{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014215925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.748{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014215924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.748{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014215923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.747{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014215922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.746{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014215921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.746{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014215920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.745{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014215919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.745{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014215918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.745{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014215917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.744{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014215916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.744{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014215915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.744{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014215914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.743{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014215913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.743{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014215912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.742{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014215911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.739{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014215910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.739{8B6011A9-BC7B-6154-751A-02000000F001}46928128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000007AF0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000834B680) 154100x800000000000000014215909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:20:34.739{8B6011A9-BC82-6154-7B1A-02000000F001}9872C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BC7B-6154-751A-02000000F001}4692C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 534500x800000000000000014217026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.996{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exe 23542300x800000000000000014217025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.993{8B6011A9-BCD5-6154-861A-02000000F001}7808ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\gokuhgnkfabznuenvemslqi.vbsMD5=2FCC53839A07381C433BEBE1F3BD1B7F,SHA256=71F0A43E515536C7786776AEAEDB1087E4675D4E7EDC83B36BC89327CF2571DDfalsetrue 734700x800000000000000014217024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.992{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014217023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.990{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014217022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.989{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014217021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.985{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014217020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.985{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014217019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.984{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014217018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.984{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014217017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.984{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014217016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.983{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014217015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.983{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014217014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.982{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014217013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.981{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014217012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.981{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014217011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:21:57.979{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014217010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.978{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014217009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.978{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014217008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.977{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014217007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.974{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014217006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.974{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014217005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.974{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014217004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.974{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014217003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.972{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014217002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.971{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014217001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.970{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014217000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.969{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014216999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.968{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014216998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.967{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014216997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:21:57.967{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014216996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:21:57.966{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\WScript.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014216995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.965{8B6011A9-51ED-6143-0C00-00000000F001}8528212C:\Windows\system32\svchost.exe{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014216994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.964{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014216993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.964{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014216992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.963{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014216991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.963{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014216990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.959{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014216989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.958{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014216988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.958{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014216987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.957{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014216986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.957{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014216985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.957{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014216984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.956{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014216983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.956{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014216982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.956{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014216981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.956{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014216980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.955{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014216979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.955{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014216978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.955{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014216977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.954{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014216976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.954{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014216975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.954{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014216974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.953{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014216973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.953{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014216972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.952{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014216971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.951{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014216970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.950{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 534500x800000000000000014216969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.950{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe 734700x800000000000000014216968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.950{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014216967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.950{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014216966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.949{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014216965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.949{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014216964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.948{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014216963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.948{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 12241200x800000000000000014216962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:21:57.947{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000014216961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:21:57.947{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 734700x800000000000000014216960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.947{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014216959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.947{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014216958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.947{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014216957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.946{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014216956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.945{8B6011A9-BC47-6154-651A-02000000F001}64721636C:\Windows\winhlp32.exe{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014216955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.945{8B6011A9-BCD5-6154-861A-02000000F001}7808C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\2\gokuhgnkfabznuenvemslqi.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 13241300x800000000000000014216954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:21:57.940{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014216953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:21:57.940{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014216952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:21:57.939{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014216951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:21:57.939{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014216950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:21:57.937{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014216949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:21:57.916{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList 734700x800000000000000014216948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.916{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 12241200x800000000000000014216947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:21:57.915{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\RegisteredApplications 12241200x800000000000000014216946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:21:57.915{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\SOFTWARE\RegisteredApplications 13241300x800000000000000014216945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:21:57.915{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFileBinary Data 12241200x800000000000000014216944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:21:57.915{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids 12241200x800000000000000014216943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:21:57.915{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x800000000000000014216942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.911{8B6011A9-51ED-6143-0C00-00000000F001}8528212C:\Windows\system32\svchost.exe{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014216941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.908{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014216940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:21:57.906{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014216939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.896{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014216938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.893{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014216937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.893{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014216936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.892{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 10341000x800000000000000014216935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.891{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014216934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.891{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014216933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.891{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014216932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.890{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 11241100x800000000000000014216931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:21:57.889{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\gokuhgnkfabznuenvemslqi.vbs2021-09-29 19:21:57.889 12241200x800000000000000014216930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-09-29 19:21:57.888{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014232091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.991{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014232090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.991{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014232089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.991{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014232088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.991{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014232087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.991{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014232086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.991{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014232085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.990{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014232084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.989{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014232083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.989{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014232082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.989{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014232081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.989{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014232080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.989{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014232079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.989{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014232078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.989{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014232077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.989{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014232076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.989{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014232075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.989{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014232074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.989{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014232073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.989{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014232072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.989{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014232071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.988{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014232070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.988{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014232069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.987{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014232068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.987{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014232067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.974{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014232066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.974{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014232065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.963{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014232064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.949{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014232063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.949{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.949{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.949{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.949{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.949{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.949{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.949{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.947{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014232055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.947{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014232054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.945{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014232053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.944{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014232052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.944{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014232050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.943{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014232049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.943{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014232048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.943{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014232047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.943{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014232046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.943{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014232045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.943{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014232044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.943{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014232043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.942{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 13241300x800000000000000014232042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.942{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014232041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.942{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014232040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.942{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000014232039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.942{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014232038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.942{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014232037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.941{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014232036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.941{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000014232035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.941{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014232034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.941{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014232033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.940{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014232032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.940{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014232031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.939{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014232030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.937{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014232029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.937{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014232028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.937{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014232027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.934{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014232026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.933{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014232002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.932{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014232001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.932{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014231999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.932{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014231998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.931{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014231997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.929{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014231988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.928{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014231970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.926{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014231969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.926{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014231968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.925{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014231967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.925{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014231966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.925{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014231965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.924{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014231964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.924{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014231963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.924{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014231957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.923{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014231923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.919{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000014231922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.918{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014231921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.918{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014231919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.917{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014231918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.917{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014231917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.916{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014231912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.914{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014231909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.914{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014231907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.914{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014231906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.913{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014231902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.912{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014231897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.912{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014231896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.911{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014231895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.910{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014231894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.909{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014231892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.908{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014231890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.907{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014231889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:46.907{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014231887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.906{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014231879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.905{8B6011A9-51ED-6143-1600-00000000F001}13247708C:\Windows\System32\svchost.exe{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014231878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.905{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014231877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.904{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014231876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.903{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014231846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.900{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000014231843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.899{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014231841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.899{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014231840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.898{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014231839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.898{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014231838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.898{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014231837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.897{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 13241300x800000000000000014231835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:46.897{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b56a-0x09f59baf) 734700x800000000000000014231834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.897{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014231832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.897{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014231831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.896{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014231830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.896{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014231829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.896{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014231828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.895{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014231827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.895{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014231824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.895{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014231823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.894{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014231820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.893{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014231818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.893{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014231815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.892{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014231814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.892{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000014231813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.891{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014231812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.890{8B6011A9-EF7D-6151-C8C2-01000000F001}86486420C:\Windows\explorer.exe{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014231811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:46.890{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 734700x800000000000000014232675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.986{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000014232673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.985{8B6011A9-C17B-6154-171B-02000000F001}61604592C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C17B-6154-181B-02000000F001}4132C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014232672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.985{8B6011A9-C17B-6154-181B-02000000F001}4132C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014232671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.981{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014232670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.981{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000014232669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.971{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014232668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.971{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014232667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.971{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014232666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.969{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014232634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.952{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014232633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.950{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014232632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.948{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014232631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.948{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000014232630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.947{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014232629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.947{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014232628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.946{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014232627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.946{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 734700x800000000000000014232612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.660{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014232611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.660{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014232610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.659{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014232605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.554{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000014232604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:47.543{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014232603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:47.543{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014232602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:47.542{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014232601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:47.542{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014232600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.541{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000014232599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.541{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014232598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.541{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014232597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.540{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014232596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.540{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014232595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.540{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014232594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.540{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014232593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.540{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014232592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.540{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014232591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.540{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014232590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.540{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014232589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.540{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014232588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.540{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014232587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.540{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014232586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.539{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014232585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.539{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014232584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.538{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014232583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.538{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000014232582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.526{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014232581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.526{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014232580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.517{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014232579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.517{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000014232578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.517{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.517{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.516{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.516{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.516{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.516{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.516{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.514{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014232570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.514{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000014232569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:47.512{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014232568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:47.512{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014232567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:47.511{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014232565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:47.510{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014232564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.510{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014232563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.510{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014232562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:47.510{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014232561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.510{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014232560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.510{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014232559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.510{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014232558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:47.509{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014232557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:47.509{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014232556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.509{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 13241300x800000000000000014232555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:47.509{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014232554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:47.509{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014232553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.509{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000014232552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.508{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014232551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.508{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000014232550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.508{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014232549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.507{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014232548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.507{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014232547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.506{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014232546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.505{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000014232545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.503{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014232544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.503{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014232543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.499{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014232542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.498{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014232541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.497{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014232540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.497{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014232539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.497{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014232538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.497{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014232513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.494{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014232512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.493{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014232486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.490{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014232485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.490{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014232484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.490{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014232483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.490{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014232482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.489{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014232481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.489{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014232480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.489{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014232478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.488{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014232477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.487{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014232474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.486{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014232451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.485{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014232448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.484{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014232447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.484{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014232446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.483{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014232445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.481{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014232443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.481{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014232442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.481{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014232441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.481{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014232416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.479{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014232415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.479{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014232413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.478{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014232412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.477{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014232409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.475{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014232396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.475{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014232383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.474{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014232382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.474{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014232381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.473{8B6011A9-51ED-6143-0C00-00000000F001}8527252C:\Windows\system32\svchost.exe{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014232379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.471{8B6011A9-51ED-6143-1600-00000000F001}13241516C:\Windows\System32\svchost.exe{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014232378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.471{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014232376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.470{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014232374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.470{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014232349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.464{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014232348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.463{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014232347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.462{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014232346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.462{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014232345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.461{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014232344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.461{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014232343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.461{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014232341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.460{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 534500x800000000000000014232340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.460{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exe 734700x800000000000000014232339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.460{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014232338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.460{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014232337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.459{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014232323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.459{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014232312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.458{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014232310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.458{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014232309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.458{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014232308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.458{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014232307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.457{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014232306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.457{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014232304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.455{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014232303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.455{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014232288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.454{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014232278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.454{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014232276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.453{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014232275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.453{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014232274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.453{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014232273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.452{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014232272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.452{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014232270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.451{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014232269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.451{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014232268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.451{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014232267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.450{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014232266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.449{8B6011A9-C17A-6154-151B-02000000F001}9602188C:\Windows\System32\WScript.exe{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014232265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.449{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014232238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.445{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014232237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.444{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014232235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.438{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014232105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.374{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014232104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.372{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014232103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.370{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014232102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.369{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014232101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.369{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014232100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:47.369{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014232099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.368{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000014232098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.368{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014232097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.126{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014232096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.126{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014232095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.125{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014232092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:47.005{8B6011A9-C17A-6154-151B-02000000F001}960C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 734700x800000000000000014232730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:48.015{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014232726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:48.012{8B6011A9-C17B-6154-181B-02000000F001}4132C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014232724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:48.012{8B6011A9-C17B-6154-181B-02000000F001}4132C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 10341000x800000000000000014232830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:49.999{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014232829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:49.998{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005220169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000080AB968) 154100x800000000000000014232828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:49.998{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 354300x800000000000000014232827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:02.841{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local63174-false104.26.5.223-443https 22542200x800000000000000014232745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:03.918{8B6011A9-C17B-6154-171B-02000000F001}6160paste.ee0::ffff:104.26.5.223;::ffff:104.26.4.223;::ffff:172.67.68.88;C:\Windows\SysWOW64\wscript.exe 734700x800000000000000014232960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.288{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014232959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.287{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014232957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.055{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014232956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.053{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014232955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.053{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 13241300x800000000000000014232951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:50.034{8B6011A9-C17E-6154-1A1B-02000000F001}6760C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014232949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.033{8B6011A9-C17E-6154-1A1B-02000000F001}6760C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 12241200x800000000000000014232941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:50.024{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:50.024{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:50.024{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:50.024{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014232936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.024{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014232934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.024{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 12241200x800000000000000014232932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:50.023{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:50.023{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014232930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:50.023{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014232929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.023{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014232928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.023{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014232927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.022{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014232926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.022{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014232923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.021{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014232919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.020{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014232917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.020{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014232913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:50.019{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014232912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:50.019{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014232911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:50.019{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014232910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:50.019{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014232908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.019{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014232896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.016{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014232891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.015{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014232890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.015{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014232889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.015{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014232888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.015{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014232887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.014{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014232886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.014{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014232885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.014{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014232884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.014{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014232883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.014{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014232882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.013{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014232880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.013{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014232879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.013{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014232878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.013{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014232877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.012{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014232875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.012{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014232873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.012{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014232872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.011{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014232870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.011{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014232867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.011{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014232865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.010{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014232862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.009{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014232860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.009{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014232859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.009{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014232857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.009{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014232855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.008{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014232853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.008{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014232852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.008{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014232851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.007{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014232849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.007{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 10341000x800000000000000014232848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.007{8B6011A9-C17B-6154-171B-02000000F001}61609172C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C17E-6154-1A1B-02000000F001}6760C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014232847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.007{8B6011A9-C17E-6154-1A1B-02000000F001}6760C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014232846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.007{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014232845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.006{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014232844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.005{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014232843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.005{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014232842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.004{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014232841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:50.004{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014232840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.004{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014232839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:50.004{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014232838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.004{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014232837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.003{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014232836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.003{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014232835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.003{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014232834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.002{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014232833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.002{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014232832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.001{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014232831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:50.001{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 354300x800000000000000014233092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:05.603{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local63175-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 13241300x800000000000000014233087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:52.068{8B6011A9-C180-6154-1C1B-02000000F001}3584C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014233085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.067{8B6011A9-C180-6154-1C1B-02000000F001}3584C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014233065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.054{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exe 734700x800000000000000014233048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.050{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014233045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.049{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014233044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.049{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014233043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.049{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014233042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.049{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014233041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.049{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014233040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.048{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014233039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.048{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014233038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.048{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014233036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.048{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014233035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.047{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014233034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.047{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014233032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.047{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014233031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.046{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014233029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.046{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014233028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.046{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014233026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.045{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014233023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.045{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014233021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.045{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014233018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.044{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014233016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.043{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014233015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.043{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014233013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.043{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014233011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.043{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014233009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.042{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014233008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.042{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014233006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.041{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000014233005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.041{8B6011A9-C17B-6154-171B-02000000F001}61605148C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C180-6154-1C1B-02000000F001}3584C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000014233004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.041{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 154100x800000000000000014233003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.042{8B6011A9-C180-6154-1C1B-02000000F001}3584C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014233002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.041{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014233001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.041{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014233000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.039{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014232999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.039{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014232998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.038{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014232997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:52.038{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014232996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:52.038{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014232995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.038{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014232994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.038{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014232993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.038{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014232992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.037{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014232991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.037{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014232990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.037{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014232989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.036{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014232988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.036{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014232987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.036{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014232986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.033{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014232985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.033{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000006600169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000080AB968) 154100x800000000000000014232984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:52.033{8B6011A9-C180-6154-1B1B-02000000F001}6448C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 22542200x800000000000000014232983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:06.454{8B6011A9-C17D-6154-191B-02000000F001}8256snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 534500x800000000000000014233198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.148{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014233195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.108{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014233194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.108{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014233193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.108{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014233192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.108{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014233191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.107{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014233190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.107{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014233189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.107{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014233188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.107{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014233187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.107{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014233186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.107{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014233185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.107{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014233184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.106{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014233183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.106{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014233182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.106{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014233181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.106{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014233180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.106{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014233179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.105{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000014233178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-29 19:41:54.104{8B6011A9-C17B-6154-171B-02000000F001}6160\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014233177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.104{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000014233176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.103{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000014233175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.100{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014233174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.100{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014233173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.100{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014233172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.100{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014233171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.100{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014233170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.100{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014233169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.099{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014233168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.099{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014233167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.099{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014233166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.099{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014233165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.099{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014233164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.099{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014233163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.098{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000014233162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.098{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014233161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.098{8B6011A9-C17B-6154-171B-02000000F001}6160ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014233160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.096{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014233159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.096{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014233158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.096{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014233157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.096{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014233156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.096{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014233155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.095{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014233154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.095{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014233153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.092{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000014233152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.091{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014233151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.090{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000014233150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.082{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exe 734700x800000000000000014233149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.078{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014233148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.078{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014233147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.077{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014233146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.077{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014233145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.077{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014233144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.077{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014233143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.077{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014233142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.077{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014233141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.077{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014233140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.076{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014233139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.076{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014233138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.076{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014233137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.076{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014233136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.076{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014233135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.075{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014233134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.075{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014233133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.075{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014233132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.074{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014233131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.074{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014233130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.074{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014233129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.074{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014233128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.073{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014233127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.073{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014233126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.072{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014233125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.072{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014233124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.072{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014233123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.072{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014233122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.071{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014233121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.071{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014233120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.071{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014233119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.070{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014233118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.070{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014233117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.069{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014233116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.069{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014233115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.068{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014233114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.068{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014233113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.068{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014233112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.067{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014233111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.067{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014233110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.067{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014233109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.067{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014233108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.066{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014233107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.066{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014233106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.066{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014233105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.063{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014233104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.063{8B6011A9-C17B-6154-171B-02000000F001}61609276C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000006870169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000080AB728) 154100x800000000000000014233103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:54.063{8B6011A9-C182-6154-1D1B-02000000F001}10068C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C17B-6154-171B-02000000F001}6160C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 534500x800000000000000014233302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.707{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exe 23542300x800000000000000014233301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.705{8B6011A9-C183-6154-1E1B-02000000F001}10152ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\wiofwjtjlqqbmphhhntqkfievo.vbsMD5=2FCC53839A07381C433BEBE1F3BD1B7F,SHA256=71F0A43E515536C7786776AEAEDB1087E4675D4E7EDC83B36BC89327CF2571DDfalsetrue 734700x800000000000000014233300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.704{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014233299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.703{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014233298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.702{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014233297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.700{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014233296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.700{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014233295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.699{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014233294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.699{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014233293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.699{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014233292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.699{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014233291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.698{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014233290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.698{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014233289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.697{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014233288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.697{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014233287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:55.696{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014233286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.695{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014233285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.695{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014233284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.694{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014233283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.692{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014233282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.692{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014233281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.692{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014233280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.692{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014233279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.691{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014233278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.690{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014233277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.689{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014233276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.689{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014233275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.687{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014233274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.687{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014233273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:55.686{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014233272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:55.686{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\WScript.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014233271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.685{8B6011A9-51ED-6143-0C00-00000000F001}8527252C:\Windows\system32\svchost.exe{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014233270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.684{8B6011A9-51ED-6143-1600-00000000F001}13247708C:\Windows\System32\svchost.exe{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014233269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.684{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014233268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.684{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014233267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.683{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014233266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.681{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014233265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.680{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014233264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.680{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014233263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.680{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014233262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.679{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014233261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.679{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014233260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.679{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014233259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.679{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014233258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.678{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014233257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.678{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014233256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.678{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014233255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.677{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014233254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.677{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014233253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.677{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014233252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.677{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014233251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.677{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014233250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.676{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014233249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.676{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014233248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.675{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014233247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.675{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014233246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.674{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014233245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.674{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 534500x800000000000000014233244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.673{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exe 734700x800000000000000014233243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.673{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014233242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.673{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014233241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.673{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014233240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.672{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014233239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.672{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014233238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.671{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014233237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.671{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x800000000000000014233236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:55.671{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000014233235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:55.671{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 734700x800000000000000014233234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.671{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014233233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.670{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014233232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.670{8B6011A9-C17D-6154-191B-02000000F001}82569480C:\Windows\winhlp32.exe{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014233231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.669{8B6011A9-C183-6154-1E1B-02000000F001}10152C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\2\wiofwjtjlqqbmphhhntqkfievo.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 13241300x800000000000000014233230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:55.667{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014233229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:55.667{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014233228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:55.666{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014233227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:55.666{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014233226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:55.666{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014233225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:55.658{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList 734700x800000000000000014233224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.657{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 12241200x800000000000000014233223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:55.657{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\RegisteredApplications 12241200x800000000000000014233222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:55.657{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKLM\SOFTWARE\RegisteredApplications 13241300x800000000000000014233221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:41:55.657{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFileBinary Data 12241200x800000000000000014233220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:55.657{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids 12241200x800000000000000014233219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:55.657{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x800000000000000014233218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.654{8B6011A9-51ED-6143-0C00-00000000F001}8527252C:\Windows\system32\svchost.exe{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014233217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.653{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014233216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:41:55.652{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014233215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.646{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014233214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.644{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014233213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.644{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014233212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.644{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 10341000x800000000000000014233211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.643{8B6011A9-51ED-6143-1600-00000000F001}13247708C:\Windows\System32\svchost.exe{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014233210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.643{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014233209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.642{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014233208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.641{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 11241100x800000000000000014233207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:41:55.640{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\wiofwjtjlqqbmphhhntqkfievo.vbs2021-09-29 19:41:55.640 12241200x800000000000000014233206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-09-29 19:41:55.640{8B6011A9-C17D-6154-191B-02000000F001}8256C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014233881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.849{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014233880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.849{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014233879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.848{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014233876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.717{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000014233875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.702{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014233874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.702{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014233873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.702{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014233872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.702{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014233871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.701{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000014233870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.700{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014233869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.700{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014233868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.700{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014233867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.700{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014233866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.700{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014233865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.700{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014233864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.700{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014233863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.700{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014233862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.700{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014233861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.700{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014233860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.700{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014233859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.700{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014233858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.699{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014233857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.699{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014233856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.698{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014233855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.698{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014233854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.697{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000014233853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.682{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014233852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.681{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014233851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.670{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014233850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.669{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000014233849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.669{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.669{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.669{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.669{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.669{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.669{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.669{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.666{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014233841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.666{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000014233840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.664{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014233839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.664{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014233838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.664{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014233836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.662{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014233835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.662{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014233834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.662{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014233833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.662{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014233832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.662{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014233831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.662{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014233830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.662{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014233829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.662{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014233828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.662{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014233827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.661{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 13241300x800000000000000014233826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.661{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014233825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.661{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014233824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.661{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000014233823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.660{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014233822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.660{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000014233821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.660{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014233820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.659{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014233819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.659{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014233818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.658{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014233817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.658{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000014233816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.656{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014233815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.655{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014233814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.651{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014233813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.650{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014233812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.649{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014233811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.649{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014233810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.649{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014233809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.649{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014233808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.647{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014233807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.646{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014233806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.643{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014233805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.643{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014233804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.643{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014233803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.642{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014233802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.642{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014233801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.642{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014233800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.642{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014233799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.641{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014233798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.640{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014233797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.640{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014233796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.639{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014233795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.638{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014233794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.638{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014233793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.638{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014233792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.636{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014233791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.636{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014233790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.635{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014233789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.635{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014233788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.634{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014233787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.634{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014233786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.633{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014233785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.632{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014233784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.631{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014233783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.630{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014233782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.630{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014233781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.630{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014233780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.629{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014233779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.628{8B6011A9-51ED-6143-1600-00000000F001}13247708C:\Windows\System32\svchost.exe{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014233778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.628{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014233777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.627{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014233776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.627{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014233775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.624{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014233774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.623{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014233773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.623{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014233772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.623{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014233771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.622{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014233770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.622{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014233769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.622{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014233768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.621{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014233767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.621{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014233766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.621{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014233765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.621{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014233764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.620{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014233763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.620{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014233762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.620{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014233761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.619{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 534500x800000000000000014233760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.619{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exe 734700x800000000000000014233759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.619{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014233758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.619{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014233757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.619{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014233756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.617{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014233755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.617{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014233754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.616{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014233753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.616{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014233752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.616{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014233751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.616{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014233750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.615{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014233749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.615{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014233748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.615{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014233747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.614{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014233746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.614{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014233745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.614{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014233744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.613{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014233743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.612{8B6011A9-C199-6154-1F1B-02000000F001}53246488C:\Windows\System32\WScript.exe{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014233742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.612{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014233741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.609{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014233740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.608{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014233739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.603{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014233726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.594{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014233725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.593{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014233724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.591{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014233723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.590{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014233722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.590{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014233721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.590{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014233720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.590{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000014233719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.589{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014233715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.346{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014233714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.346{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014233713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.345{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014233710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.205{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000014233709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.194{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014233708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.194{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014233707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.194{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014233706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.194{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014233705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.194{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014233704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.194{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014233703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.193{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014233702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.192{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014233701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.192{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014233700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.192{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014233699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.192{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014233698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.192{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014233697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.192{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014233696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.192{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014233695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.192{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014233694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.192{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014233693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.192{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014233692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.192{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014233691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.192{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014233690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.192{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014233689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.191{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014233688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.191{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014233687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.190{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014233686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.190{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014233683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.176{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014233682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.175{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014233676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.165{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014233672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.146{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014233657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.165{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014233655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.164{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.164{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.164{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.164{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.164{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.164{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.164{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014233648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.162{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014233647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.162{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014233646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.160{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014233645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.160{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014233644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.159{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014233642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.158{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014233641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.158{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014233640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.158{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014233639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.158{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014233638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.158{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014233637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.158{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014233636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.158{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014233635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.158{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000014233634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.157{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000014233633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.157{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014233632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.157{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014233631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.157{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014233630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.157{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014233629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.156{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014233628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.156{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000014233627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.156{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014233626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.156{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014233625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.155{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014233624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.155{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014233623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.154{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014233622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.152{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014233621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.152{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014233620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.152{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014233619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.148{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014233618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.147{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014233616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.146{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014233615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.146{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014233614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.146{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014233613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.144{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014233612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.143{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014233611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.141{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014233610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.141{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014233609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.140{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014233608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.140{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014233607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.140{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014233606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.140{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014233605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.139{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014233604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.139{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014233587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.134{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014233586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.138{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014233578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.138{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000014233577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.137{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014233576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.137{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014233575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.136{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014233574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.136{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014233573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.136{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014233571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.134{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014233570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.133{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014233569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.133{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014233568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.132{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014233567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.132{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014233566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.131{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014233565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.130{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014233564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.128{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014233563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.127{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014233562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.126{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014233561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:17.126{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014233560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.126{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014233559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.124{8B6011A9-51ED-6143-1600-00000000F001}13247708C:\Windows\System32\svchost.exe{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014233558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.124{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014233557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.123{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014233556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.123{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014233554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.120{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000014233549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.119{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014233548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.118{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014233547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.118{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014233546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.118{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 13241300x800000000000000014233544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:17.117{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b56a-0x1bf8d0ed) 734700x800000000000000014233543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.117{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014233541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.117{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014233540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.117{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014233539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.117{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014233538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.116{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014233535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.116{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014233534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.116{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014233532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.115{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014233531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.115{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014233530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.115{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014233526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.114{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014233525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.113{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014233524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.113{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014233521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.112{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014233520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.112{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000014233519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.111{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014233518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.111{8B6011A9-EF7D-6151-C8C2-01000000F001}86486852C:\Windows\explorer.exe{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014233517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:17.110{8B6011A9-C199-6154-1F1B-02000000F001}5324C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 734700x800000000000000014234039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.212{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014234035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:18.209{8B6011A9-C19A-6154-211B-02000000F001}10220C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014234033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.209{8B6011A9-C19A-6154-211B-02000000F001}10220C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014233982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.182{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000014233980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.181{8B6011A9-C199-6154-201B-02000000F001}94648952C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C19A-6154-211B-02000000F001}10220C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014233979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.181{8B6011A9-C19A-6154-211B-02000000F001}10220C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014233976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.161{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msdart.dll10.0.14393.0 (rs1_release.160715-1616)OLE DB Runtime RoutinesMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdart.dllMD5=EE819BD4AC9B986F13574CD7F1384913,SHA256=E9997360FFACB4DDB4E9E5F6AFDCCDACF1FAACF2CC38A96108700183C27BA194trueMicrosoft WindowsValid 734700x800000000000000014233953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.177{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014233952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:18.176{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014233948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.160{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Program Files (x86)\Common Files\System\ado\msado15.dll10.0.14393.4169 (rs1_release.210107-1130)ActiveX Data ObjectsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsado15.dllMD5=0773E3F6B080C8BAB1C694136D9AB923,SHA256=4DAC725E8DD3700DB8474A6F9DD40A2DBF0472AEE01827E16EA88808FB3E6924trueMicrosoft WindowsValid 12241200x800000000000000014233924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:18.166{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014233923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:18.166{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014233922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.165{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014233921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.164{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 11241100x800000000000000014233920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.162{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll2021-09-29 18:56:31.063 734700x800000000000000014233891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.137{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014233890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.136{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014233889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.134{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014233888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.133{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000014233887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:18.132{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014233886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:18.132{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014233885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.132{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014233884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:18.132{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 22542200x800000000000000014234056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.070{8B6011A9-C199-6154-201B-02000000F001}9464paste.ee0::ffff:104.26.5.223;::ffff:104.26.4.223;::ffff:172.67.68.88;C:\Windows\SysWOW64\wscript.exe 354300x800000000000000014234055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:32.996{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local63191-false104.26.5.223-443https 734700x800000000000000014234192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.462{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014234191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.461{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 13241300x800000000000000014234187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:20.233{8B6011A9-C19C-6154-231B-02000000F001}7744C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014234185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.233{8B6011A9-C19C-6154-231B-02000000F001}7744C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014234179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.226{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014234178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.225{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014234176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.224{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 12241200x800000000000000014234173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:20.224{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014234172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:20.224{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014234171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:20.223{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014234170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:20.223{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014234168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.223{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014234166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.223{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 12241200x800000000000000014234165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:20.223{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014234164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:20.222{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014234163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:20.222{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014234162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.222{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014234161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.222{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014234160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.221{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014234158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.221{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014234154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.220{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014234150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.219{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014234148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.219{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014234144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:20.218{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014234143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:20.218{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014234142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:20.218{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014234141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:20.218{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014234139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.218{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014234127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.215{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014234124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.214{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014234123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.214{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014234122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.214{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014234121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.214{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014234120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.214{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014234119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.213{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014234118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.213{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014234117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.213{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014234116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.213{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014234114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.212{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014234113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.212{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014234112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.212{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014234110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.212{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014234108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.211{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014234107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.211{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014234106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.211{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014234104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.210{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014234101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.210{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014234099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.210{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014234096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.209{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014234094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.209{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014234093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.208{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014234090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.208{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014234088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.208{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014234087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.207{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014234086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.207{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014234084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.207{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000014234083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.207{8B6011A9-C199-6154-201B-02000000F001}94648616C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C19C-6154-231B-02000000F001}7744C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014234082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.206{8B6011A9-C19C-6154-231B-02000000F001}7744C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014234081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.206{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014234080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.206{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014234079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.206{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014234078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.205{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014234077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.205{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014234076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.204{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014234075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:20.204{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014234074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.204{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014234073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:20.203{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014234072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.203{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014234071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.203{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014234070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.203{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014234069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.202{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014234068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.202{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014234067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.202{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014234066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.201{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014234065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.201{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014234064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.199{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014234063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.198{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000050B0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000007AA3E60) 154100x800000000000000014234062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:20.198{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 354300x800000000000000014234329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:35.776{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local63193-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 13241300x800000000000000014234325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:22.264{8B6011A9-C19E-6154-251B-02000000F001}6788C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014234323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.263{8B6011A9-C19E-6154-251B-02000000F001}6788C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 22542200x800000000000000014234314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.625{8B6011A9-C19C-6154-221B-02000000F001}3380snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 534500x800000000000000014234304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.249{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exe 734700x800000000000000014234288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.245{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014234284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.244{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014234283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.244{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014234282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.244{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014234281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.244{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014234280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.244{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014234279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.244{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014234278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.243{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014234277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.243{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014234275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.243{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014234274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.242{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014234273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.242{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014234272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.242{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014234270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.241{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014234268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.241{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014234267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.241{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014234265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.240{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014234262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.240{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014234260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.240{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014234257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.239{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014234255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.239{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014234254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.238{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014234252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.238{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014234250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.238{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014234248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.237{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014234247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.237{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014234246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.237{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014234244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.236{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 10341000x800000000000000014234243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.236{8B6011A9-C199-6154-201B-02000000F001}94647832C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C19E-6154-251B-02000000F001}6788C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014234242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.237{8B6011A9-C19E-6154-251B-02000000F001}6788C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014234241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.236{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014234240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.236{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014234239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.235{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014234238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.234{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014234237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.234{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014234236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:22.233{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014234235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.233{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014234234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:22.233{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014234233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.233{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014234232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.233{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014234231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.233{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014234230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.232{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014234229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.232{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014234228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.231{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014234227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.231{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014234226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.231{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014234225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.228{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014234224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.228{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005250169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000007AA3FF8) 154100x800000000000000014234223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:22.229{8B6011A9-C19E-6154-241B-02000000F001}9672C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 534500x800000000000000014234483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.352{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014234482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.314{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014234481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.314{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014234480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.314{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014234479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.314{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014234478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.313{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014234477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.313{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014234476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.313{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014234475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.313{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014234474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.313{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014234473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.313{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014234472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.313{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014234471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.313{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014234470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.312{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014234469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.312{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014234468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.312{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014234467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.312{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014234466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.311{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000014234465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-29 19:42:24.310{8B6011A9-C199-6154-201B-02000000F001}9464\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014234464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.310{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000014234463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.309{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000014234462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.306{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014234461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.306{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014234460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.306{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014234459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.306{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014234458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.305{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014234457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.305{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014234456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.305{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014234455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.305{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014234454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.305{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014234453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.305{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014234452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.305{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014234451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.305{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014234450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.304{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000014234449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.304{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014234448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.303{8B6011A9-C199-6154-201B-02000000F001}9464ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014234447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.301{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014234446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.301{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014234445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.301{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014234444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.301{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014234443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.301{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014234442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.301{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014234441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.301{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014234440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.297{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000014234439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.296{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014234438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.295{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000014234437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.288{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exe 734700x800000000000000014234436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.284{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014234434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.283{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014234433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.283{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014234431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.283{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014234430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.283{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014234429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.283{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014234428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.283{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014234426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.282{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014234425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.282{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014234423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.282{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014234421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.281{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014234420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.281{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014234418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.281{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014234417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.281{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014234415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.280{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014234413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.280{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014234411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.280{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014234410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.279{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014234408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.279{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014234407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.279{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014234406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.278{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014234405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.278{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014234404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.277{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014234403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.277{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014234402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.277{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014234401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.277{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014234400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.276{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014234399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.276{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014234398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.276{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014234397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.276{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014234396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.275{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014234395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.274{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014234393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.274{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014234389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.273{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014234387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.273{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014234384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.272{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014234381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.272{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014234378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.272{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014234370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.271{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014234365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.271{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014234358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.270{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014234357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.269{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014234356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.269{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014234350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.267{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014234348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.266{8B6011A9-C199-6154-201B-02000000F001}94641752C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000006940169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000007AA4088) 154100x800000000000000014234346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:24.258{8B6011A9-C1A0-6154-271B-02000000F001}10200C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C199-6154-201B-02000000F001}9464C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014235070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.835{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014235069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.835{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014235068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.833{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014235065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.711{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000014235062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.698{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014235061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.698{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014235060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.698{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014235059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.698{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014235058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.698{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000014235057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.698{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014235056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.696{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014235055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.696{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014235054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.696{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014235053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.696{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014235052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.696{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014235051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.696{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014235050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.696{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014235049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.696{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014235048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.696{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014235047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.696{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014235046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.696{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014235045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.696{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014235044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.696{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014235043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.694{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014235042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.694{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014235041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.694{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000014235040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.682{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014235039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.682{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014235038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.673{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014235037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.671{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000014235036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.671{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014235035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.671{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014235034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.671{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014235033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.671{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014235032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.671{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014235031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.671{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014235030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.671{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014235029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.669{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014235028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.668{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000014235027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.667{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014235026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.667{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014235025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.667{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014235023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.666{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014235022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.666{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014235021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.666{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014235020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.666{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014235019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.666{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014235018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.666{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014235017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.666{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014235016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.665{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014235015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.665{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014235014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.665{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 13241300x800000000000000014235013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.665{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014235012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.665{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014235011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.665{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000014235010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.664{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014235009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.664{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000014235008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.664{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014235007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.663{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014235006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.663{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014235005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.661{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014235004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.661{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000014235003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.658{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014235002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.658{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014235001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.655{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014235000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.654{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014234999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.652{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014234998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.652{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014234997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.652{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014234996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.652{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014234995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.650{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014234994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.649{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014234993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.648{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014234992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.648{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014234991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.646{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014234990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.646{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014234989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.646{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014234988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.645{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014234987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.645{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014234986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.645{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014234985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.645{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014234984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.645{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014234983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.642{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014234982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.642{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014234981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.642{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014234980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.642{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014234979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.640{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014234978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.639{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014234977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.639{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014234976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.639{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014234975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.638{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014234974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.637{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014234973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.637{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014234972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.637{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014234971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.636{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014234970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.635{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014234969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.635{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014234968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.635{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014234967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.632{8B6011A9-51ED-6143-1600-00000000F001}13241516C:\Windows\System32\svchost.exe{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014234966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.634{8B6011A9-51ED-6143-0C00-00000000F001}8528212C:\Windows\system32\svchost.exe{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014234965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.632{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014234964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.632{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014234963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.631{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014234962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.630{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014234961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.629{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014234960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.628{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014234959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.628{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014234958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.628{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014234957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.628{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014234956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.627{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014234955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.627{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014234954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.627{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014234953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.626{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014234952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.626{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014234951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.626{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014234950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.625{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014234949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.625{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014234948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.625{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014234947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.625{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 534500x800000000000000014234946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.625{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exe 734700x800000000000000014234945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.624{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014234944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.624{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014234943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.623{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014234942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.623{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014234941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.622{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014234940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.621{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014234939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.621{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014234938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.621{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014234937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.621{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014234936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.620{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014234935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.620{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014234934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.619{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014234933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.619{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014234932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.619{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014234931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.618{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014234930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.616{8B6011A9-C1A9-6154-2B1B-02000000F001}8206348C:\Windows\System32\WScript.exe{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014234929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.617{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014234928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.614{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014234927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.613{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014234926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.608{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014234913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.599{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014234912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.597{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014234911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.595{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014234910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.595{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014234909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.594{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014234908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.594{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014234907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.594{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000014234906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.593{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014234904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.348{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014234903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.348{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014234902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.347{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014234901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.217{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000014234900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.206{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014234899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.206{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014234898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.206{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014234897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.206{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014234896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.206{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014234895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.206{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014234894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.204{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014234893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014234892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014234891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014234890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014234889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014234888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014234887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014234886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014234885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014234884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014234883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014234882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014234881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014234880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014234879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.203{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014234878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.201{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014234877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.201{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014234876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.189{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014234875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.189{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014234872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.178{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014234871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.177{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014234870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.177{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014234869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.177{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014234868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.177{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014234867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.177{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014234866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.177{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014234865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.177{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014234864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.177{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014234863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.175{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014234862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.175{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014234861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.173{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014234860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.173{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014234859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.172{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014234857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.171{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014234856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.171{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014234855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.171{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014234854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.171{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014234853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.171{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014234852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.171{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014234851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.171{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014234850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.171{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 13241300x800000000000000014234849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.170{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014234848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.170{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014234847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.170{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000014234846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.170{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014234845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.170{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014234844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.170{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014234843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.170{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000014234842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.169{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014234841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.169{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014234840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.168{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014234839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.168{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014234838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.166{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014234837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.166{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014234836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.165{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014234835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.165{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014234834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.162{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014234833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.161{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014234832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.160{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014234831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.160{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014234830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.160{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014234829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.160{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014234828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.158{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014234825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.157{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014234824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.155{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014234823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.155{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014234822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.153{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014234821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.153{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014234820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.153{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014234819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.153{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014234818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.152{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014234817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.152{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014234816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.151{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014234815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.151{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000014234814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.151{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014234813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.151{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014234812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.151{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014234811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.149{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014234810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.149{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014234809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.147{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014234808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.147{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014234807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.147{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014234806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.147{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014234805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.146{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014234804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.146{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014234803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.145{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014234802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.145{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014234801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.144{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014234800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.143{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014234799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.143{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014234798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:33.143{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014234797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.142{8B6011A9-51ED-6143-0C00-00000000F001}8528212C:\Windows\system32\svchost.exe{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014234794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.141{8B6011A9-51ED-6143-1600-00000000F001}13241516C:\Windows\System32\svchost.exe{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014234793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.141{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014234792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.140{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014234791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.140{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014234790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.137{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000014234789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.136{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014234788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.136{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014234786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.135{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014234785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.135{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014234784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.135{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014234779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.135{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014234778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.134{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014234777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.134{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014234776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.134{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014234775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.133{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014234774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.133{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 13241300x800000000000000014234772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:33.133{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b56a-0x25847f0b) 734700x800000000000000014234770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.133{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014234769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.132{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014234768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.132{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014234767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.132{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014234763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.130{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014234762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.130{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014234756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.128{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014234755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.128{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000014234754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.127{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014234753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.127{8B6011A9-EF7D-6151-C8C2-01000000F001}86486084C:\Windows\explorer.exe{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014234752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:33.127{8B6011A9-C1A9-6154-2B1B-02000000F001}820C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 534500x800000000000000014235182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.815{8B6011A9-C19C-6154-221B-02000000F001}3380C:\Windows\winhlp32.exe 734700x800000000000000014235174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.185{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014235170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:34.181{8B6011A9-C1AA-6154-2D1B-02000000F001}6796C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014235168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.181{8B6011A9-C1AA-6154-2D1B-02000000F001}6796C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014235119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.154{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000014235117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.152{8B6011A9-C1A9-6154-2C1B-02000000F001}51046004C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C1AA-6154-2D1B-02000000F001}6796C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014235116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.153{8B6011A9-C1AA-6154-2D1B-02000000F001}6796C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014235115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.148{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014235114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:34.148{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000014235113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:34.139{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014235112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:34.139{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014235111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.138{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014235110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.137{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 11241100x800000000000000014235109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.136{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll2021-09-29 18:56:31.063 734700x800000000000000014235108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.134{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msdart.dll10.0.14393.0 (rs1_release.160715-1616)OLE DB Runtime RoutinesMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdart.dllMD5=EE819BD4AC9B986F13574CD7F1384913,SHA256=E9997360FFACB4DDB4E9E5F6AFDCCDACF1FAACF2CC38A96108700183C27BA194trueMicrosoft WindowsValid 734700x800000000000000014235107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.134{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Program Files (x86)\Common Files\System\ado\msado15.dll10.0.14393.4169 (rs1_release.210107-1130)ActiveX Data ObjectsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsado15.dllMD5=0773E3F6B080C8BAB1C694136D9AB923,SHA256=4DAC725E8DD3700DB8474A6F9DD40A2DBF0472AEE01827E16EA88808FB3E6924trueMicrosoft WindowsValid 734700x800000000000000014235080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.119{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014235079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.118{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014235078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.116{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014235077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.116{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000014235076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:34.116{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014235075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:34.116{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014235074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.115{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014235073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:34.115{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 22542200x800000000000000014235185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:50.074{8B6011A9-C1A9-6154-2C1B-02000000F001}5104paste.ee0::ffff:104.26.5.223;::ffff:104.26.4.223;::ffff:172.67.68.88;C:\Windows\SysWOW64\wscript.exe 734700x800000000000000014235325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.452{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014235324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.451{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 354300x800000000000000014235323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:48.997{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local63201-false104.26.5.223-443https 13241300x800000000000000014235317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:36.226{8B6011A9-C1AC-6154-2F1B-02000000F001}5200C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014235315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.226{8B6011A9-C1AC-6154-2F1B-02000000F001}5200C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014235309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.219{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014235308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.217{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014235306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.217{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 12241200x800000000000000014235303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:36.216{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014235302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:36.216{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014235301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:36.216{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014235300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:36.216{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014235298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.216{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014235296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.215{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 12241200x800000000000000014235295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:36.215{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014235294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:36.215{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014235293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:36.215{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014235292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.214{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014235291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.214{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014235290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.214{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014235288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.213{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014235284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.212{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014235279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.211{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014235278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.211{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014235274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:36.210{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014235273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:36.210{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014235272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:36.210{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014235271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:36.210{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014235269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.210{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014235258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.207{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014235254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.206{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014235253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.206{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014235252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.206{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014235251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.206{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014235250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.206{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014235249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.206{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014235248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.206{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014235247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.205{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014235246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.205{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014235244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.205{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014235243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.205{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014235242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.204{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014235240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.204{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014235238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.204{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014235237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.203{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014235236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.203{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014235234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.203{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014235231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.202{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014235229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.202{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014235226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.201{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014235224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.201{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014235223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.201{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014235221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.201{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014235219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.200{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014235217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.200{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014235216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.200{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014235214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.199{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000014235213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.199{8B6011A9-C1A9-6154-2C1B-02000000F001}51049800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C1AC-6154-2F1B-02000000F001}5200C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000014235212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.199{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 154100x800000000000000014235211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.199{8B6011A9-C1AC-6154-2F1B-02000000F001}5200C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014235210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.199{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014235209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.198{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014235208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.197{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014235207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.197{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014235206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.196{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014235205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:36.196{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014235204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.196{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014235203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:36.196{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014235202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.196{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014235201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.195{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014235200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.195{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014235199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.195{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014235198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.194{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014235197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.194{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014235196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.194{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014235195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.194{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014235194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.191{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014235193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.191{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005DF0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000892E448) 154100x800000000000000014235192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:36.190{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 354300x800000000000000014235445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:51.767{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local63203-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 22542200x800000000000000014235440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:52.618{8B6011A9-C1AC-6154-2E1B-02000000F001}7704snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 13241300x800000000000000014235436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:42:38.259{8B6011A9-C1AE-6154-311B-02000000F001}9372C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014235434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.259{8B6011A9-C1AE-6154-311B-02000000F001}9372C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014235414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.245{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exe 734700x800000000000000014235400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.242{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014235396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.241{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014235395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.241{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014235394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.241{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014235393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.240{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014235392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.240{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014235391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.240{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014235390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.240{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014235389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.240{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014235388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.239{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014235387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.239{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014235385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.239{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014235384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.239{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014235383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.238{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014235381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.238{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014235379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.238{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014235378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.237{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014235376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.237{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014235374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.237{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014235371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.236{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014235369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.236{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014235366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.235{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014235365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.235{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014235363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.235{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014235361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.235{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014235359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.234{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014235358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.234{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014235357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.234{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 10341000x800000000000000014235355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.233{8B6011A9-C1A9-6154-2C1B-02000000F001}51048828C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C1AE-6154-311B-02000000F001}9372C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000014235354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.233{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 154100x800000000000000014235353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.234{8B6011A9-C1AE-6154-311B-02000000F001}9372C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014235352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.233{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014235351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.233{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014235350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.232{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014235349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.231{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014235348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.231{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014235347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.230{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014235346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:38.230{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014235345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:42:38.230{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014235344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.230{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014235343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.230{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014235342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.230{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014235341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.229{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014235340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.229{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014235339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.229{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014235338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.228{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014235337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.228{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014235336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.228{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014235335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.225{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014235334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.225{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000006190169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000892E328) 154100x800000000000000014235333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:38.226{8B6011A9-C1AE-6154-301B-02000000F001}4072C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 534500x800000000000000014235543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.368{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014235542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.329{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014235541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.329{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014235540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.328{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014235539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.328{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014235538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.328{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014235537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.328{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014235536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.328{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014235535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.328{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014235534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.328{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014235533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.327{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014235532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.327{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014235531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.327{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014235530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.327{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014235529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.327{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014235528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.326{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014235527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.326{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014235526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.326{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000014235525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-29 19:42:40.325{8B6011A9-C1A9-6154-2C1B-02000000F001}5104\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014235524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.325{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000014235523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.324{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000014235522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.321{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014235521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.321{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014235520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.321{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014235519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.321{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014235518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.320{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014235517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.320{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014235516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.320{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014235515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.320{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014235514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.320{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014235513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.320{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014235512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.320{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014235511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.320{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014235510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.319{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000014235509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.319{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014235508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.319{8B6011A9-C1A9-6154-2C1B-02000000F001}5104ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014235507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.317{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014235506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.317{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014235505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.317{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014235504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.317{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014235503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.316{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014235502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.316{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014235501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.316{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014235500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.313{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000014235499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.312{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014235498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.311{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000014235497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.303{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exe 734700x800000000000000014235496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.299{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014235495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.298{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014235494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.298{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014235493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.298{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014235492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.297{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014235491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.297{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014235490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.297{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014235489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.297{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014235488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.297{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014235487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.297{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014235486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.296{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014235485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.296{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014235484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.296{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014235483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.296{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014235482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.295{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014235481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.295{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014235480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.295{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014235479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.295{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014235478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.294{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014235477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.294{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014235476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.293{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014235475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.293{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014235474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.293{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014235473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.293{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014235472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.292{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014235471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.292{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014235470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.292{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014235469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.291{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014235468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.291{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014235467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.291{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014235466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.291{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014235465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.290{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014235464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.289{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014235463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.289{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014235462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.288{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014235461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.288{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014235460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.288{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014235459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.288{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014235458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.287{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014235457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.287{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014235456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.287{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014235455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.286{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014235454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.286{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014235453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.284{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014235452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.283{8B6011A9-C1A9-6154-2C1B-02000000F001}51046924C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000006310169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000892E430) 154100x800000000000000014235451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:40.284{8B6011A9-C1B0-6154-321B-02000000F001}4468C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C1A9-6154-2C1B-02000000F001}5104C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 534500x800000000000000014235554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:42:41.829{8B6011A9-C1AC-6154-2E1B-02000000F001}7704C:\Windows\winhlp32.exe 154100x800000000000000014434192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 00:26:07.281{8B6011A9-041F-6155-0823-02000000F001}1116C:\Program Files\Notepad++\notepad++.exe8.14Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Administrator\AppData\Local\Temp\2\dynwrapx.dll"C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=8D93FF22077355875C7BC59CEBE98B4F,SHA256=A345288CDF2B0A43B64E0C3264FC2839A76C98835CAC1A1920D68E21DD444EB3{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 734700x800000000000000014967029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.914{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014967002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.911{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014966983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.933{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014966982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.933{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014966981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.933{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014966980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.933{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014966979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.933{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014966978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.933{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014966977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.933{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014966976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.932{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014966975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.931{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014966974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.930{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014966973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:23.928{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014966972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:23.928{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014966971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:23.927{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000014966969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.926{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000014966968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:23.926{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014966967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.926{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014966966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.926{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014966965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:23.926{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014966964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.926{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014966963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.926{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014966962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.926{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014966961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.925{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000014966960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.925{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 13241300x800000000000000014966959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:23.923{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014966958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:23.923{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014966957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:23.923{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014966956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:23.923{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014966955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.922{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014966954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.922{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014966953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.922{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014966952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.921{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014966951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.921{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014966950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.920{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014966949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.918{8B6011A9-51EB-6143-0B00-00000000F001}6328916C:\Windows\system32\lsass.exe{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014966948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.918{8B6011A9-51EB-6143-0B00-00000000F001}6328916C:\Windows\system32\lsass.exe{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014966947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.918{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014966938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.877{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014966919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.881{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014966918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.881{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014966917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.881{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014966916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.880{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014966907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.862{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014966878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.855{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014966862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.858{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014966861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.858{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014966860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.858{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014966859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.858{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014966858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.857{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014966857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.857{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014966856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.856{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014966855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.856{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014966853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.855{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000014966852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.854{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014966851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.854{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014966850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.853{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014966849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.853{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014966848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.853{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014966847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.851{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014966846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.848{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014966845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.847{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014966839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.832{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014966819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.833{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014966818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.832{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014966815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.827{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014966814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.826{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014966813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.825{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014966812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.824{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014966811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.819{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014966810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:23.819{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014966809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.818{8B6011A9-51ED-6143-0C00-00000000F001}8528904C:\Windows\system32\svchost.exe{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014966808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.817{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014966807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.817{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014966806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.817{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014966805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.816{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014966795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.814{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000014966794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.807{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 734700x800000000000000014966779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.813{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014966777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.813{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014966776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.812{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014966775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.812{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014966774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.812{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014966773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.812{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014966772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.811{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014966771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.811{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014966769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.811{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014966768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.811{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014966767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.810{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014966766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.810{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014966765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.810{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014966764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.809{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014966763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.809{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014966762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.808{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014966761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.808{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014966758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.807{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000014966757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.806{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014966756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.806{8B6011A9-B0F1-6155-7237-02000000F001}12527544C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014966755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:23.805{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000014968507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.881{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014968480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.878{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014968454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.873{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 734700x800000000000000014968427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.871{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014968403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.870{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014968375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.868{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014968352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.865{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014968328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.862{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014968300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.861{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014968275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.849{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014968251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.847{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014968223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.846{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014968197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.842{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014968171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.837{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014968147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.834{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014968126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.824{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014968105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.872{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014968098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.817{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014968068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.813{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014968044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.810{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014968017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.807{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014967993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.806{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014967970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.799{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014967943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.782{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 12241200x800000000000000014967927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.820{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014967926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.819{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014967925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.819{8B6011A9-51ED-6143-0C00-00000000F001}8528904C:\Windows\system32\svchost.exe{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014967923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.817{8B6011A9-51ED-6143-1600-00000000F001}13249284C:\Windows\System32\svchost.exe{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014967922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.817{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014967913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.775{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014967886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.770{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014967862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.765{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014967834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.754{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014967810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.752{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014967786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.751{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014967759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.740{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014967734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.736{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014967709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.735{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014967682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.734{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014967659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.728{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014967634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.726{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014967608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.719{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014967585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.714{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014967558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.700{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014967537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.699{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014967533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.701{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014967507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.694{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014967481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.690{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014967464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.700{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014967463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.700{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014967455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.687{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014967437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.694{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014967427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.674{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 534500x800000000000000014967410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.680{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exe 734700x800000000000000014967382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.674{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000014967379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.673{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014967378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.673{8B6011A9-B3BB-6155-CC37-02000000F001}15886468C:\Windows\System32\WScript.exe{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014967372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.672{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014967349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.668{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014967334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.667{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014967296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.661{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014967186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.565{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014967185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.556{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014967184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.553{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014967178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.546{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014967159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.551{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014967157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.550{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014967156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.550{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014967155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.550{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000014967139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.297{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014967115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.296{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014967089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.295{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014967067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.179{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000014967066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:24.165{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014967065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:24.165{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014967064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:24.165{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014967063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:24.165{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014967062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:24.165{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014967061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:24.165{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014967060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.164{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014967059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.162{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014967058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.162{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014967057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.162{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014967056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.162{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014967055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.162{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014967054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.162{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014967053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.162{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014967052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.162{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014967051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.162{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014967050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.162{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014967049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.162{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014967048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.162{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014967047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.161{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014967046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.161{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014967045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.160{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014967044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.158{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014967043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.156{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014967042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:24.143{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014967041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.142{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014967040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:24.129{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014970011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.847{8B6011A9-B3BD-6155-CF37-02000000F001}5876C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014970010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.851{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014969897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.847{8B6011A9-B3BD-6155-CF37-02000000F001}5876C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014969802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.781{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000014969763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.772{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 734700x800000000000000014969730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.758{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 10341000x800000000000000014969719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.776{8B6011A9-B3BC-6155-CE37-02000000F001}94249540C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B3BD-6155-CF37-02000000F001}5876C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014969718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.776{8B6011A9-B3BD-6155-CF37-02000000F001}5876C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 12241200x800000000000000014969715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.770{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000014969714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.760{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014969713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.760{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014969704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.744{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014969678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.714{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014969645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.707{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014969600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.704{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014969566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.702{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 734700x800000000000000014969540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.701{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014969515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.697{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 12241200x800000000000000014969494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.701{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014969493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.701{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014969463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.405{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014969437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.404{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014969412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.402{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014969387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.288{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 734700x800000000000000014969363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.274{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 734700x800000000000000014969332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.271{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014969312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.270{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014969287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.268{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014969262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.267{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 734700x800000000000000014969229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.252{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014969201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.238{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014969177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.235{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014969147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.232{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014969119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.224{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 734700x800000000000000014969098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.223{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014969070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.222{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x800000000000000014969046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.219{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014969018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.214{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014968993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.212{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014968966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.210{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014968942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.201{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014968914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.198{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014968885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.170{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014968861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.153{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014968836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.153{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014968811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.152{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 13241300x800000000000000014968792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.275{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014968791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.275{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014968790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.275{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014968789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.275{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x800000000000000014968788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.272{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014968787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.272{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014968786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.272{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014968785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.272{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014968784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.272{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014968783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.272{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014968782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.272{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014968781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.272{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014968780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.272{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014968779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.272{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014968778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.272{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014968777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.272{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014968776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.271{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014968767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.138{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 12241200x800000000000000014968748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.252{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014968740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.125{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014968708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.121{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 12241200x800000000000000014968684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.235{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014968682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.235{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014968681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.120{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 12241200x800000000000000014968677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.235{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014968673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.235{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014968667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.235{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014968665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.234{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014968663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.234{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014968662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.232{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014968652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.116{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 13241300x800000000000000014968636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.226{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014968635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.226{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014968634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.226{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014968626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.224{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 734700x800000000000000014968624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.113{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 12241200x800000000000000014968621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.224{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014968619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.223{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014968615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.223{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014968613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.223{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014968611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.223{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014968608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.223{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014968600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.221{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014968599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.221{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014968598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.221{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014968597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:25.221{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014968596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.220{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014968595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:25.220{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014968587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.111{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 10341000x800000000000000014968569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.205{8B6011A9-51EB-6143-0B00-00000000F001}6328916C:\Windows\system32\lsass.exe{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014968568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.205{8B6011A9-51EB-6143-0B00-00000000F001}6328916C:\Windows\system32\lsass.exe{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014968560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.067{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014968536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:25.065{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 22542200x800000000000000014970185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.550{8B6011A9-B3BC-6155-CE37-02000000F001}9424paste.ee0::ffff:104.26.4.223;::ffff:104.26.5.223;::ffff:172.67.68.88;C:\Windows\SysWOW64\wscript.exe 22542200x800000000000000014970184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:41.440{8B6011A9-B3BB-6155-CC37-02000000F001}1588paste.ee0::ffff:104.26.4.223;::ffff:104.26.5.223;::ffff:172.67.68.88;C:\Windows\System32\wscript.exe 354300x800000000000000014970025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:41.478{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local50507-false104.26.4.223-443https 154100x800000000000000014970674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.992{8B6011A9-B3BF-6155-D637-02000000F001}9772C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9560 -s 84C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x800000000000000014970643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.988{8B6011A9-B3BF-6155-D537-02000000F001}33809028C:\Windows\System32\svchost.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014970642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.988{8B6011A9-B3BF-6155-D537-02000000F001}33809028C:\Windows\System32\svchost.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014970641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.988{8B6011A9-B3BF-6155-D537-02000000F001}33809028C:\Windows\System32\svchost.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014970492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:27.961{8B6011A9-B3BF-6155-D337-02000000F001}6096C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014970489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.960{8B6011A9-B3BF-6155-D337-02000000F001}6096C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 10341000x800000000000000014970402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.937{8B6011A9-B3BF-6155-D237-02000000F001}95607576C:\Windows\winhlp32.exe{8B6011A9-B3BF-6155-D437-02000000F001}6268C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|UNKNOWN(0000000076FDEF6C)|UNKNOWN(000000007705CF02)|UNKNOWN(000000007701F19A)|UNKNOWN(000000007701E602)|UNKNOWN(000000007701E24A)|UNKNOWN(00000000770167D2)|UNKNOWN(0000000076FD7FC0) 10341000x800000000000000014970400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.936{8B6011A9-B3BC-6155-CE37-02000000F001}94249328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B3BF-6155-D337-02000000F001}6096C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014970399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.936{8B6011A9-B3BF-6155-D337-02000000F001}6096C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014970395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.929{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 734700x800000000000000014970374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.932{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014970373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:27.932{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014970372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.932{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014970371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:27.932{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014970370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.932{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014970369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.931{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014970367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.931{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014970366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.931{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014970365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.930{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014970363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.930{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014970361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.929{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000014970360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.927{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014970359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.927{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005D70169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000844D368) 154100x800000000000000014970358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:27.927{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 354300x800000000000000014970235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:40.367{8B6011A9-B3BB-6155-CC37-02000000F001}1588C:\Windows\System32\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local50505-false104.26.4.223-443https 10341000x800000000000000014970900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:28.044{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+ca9c|C:\Windows\system32\winsrv.DLL+e3bc|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014970899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:28.044{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+e279|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014970897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:28.041{8B6011A9-B3BF-6155-D637-02000000F001}97727496C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014970894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:28.040{8B6011A9-B3BF-6155-D637-02000000F001}97727496C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014970893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:28.040{8B6011A9-B3BF-6155-D637-02000000F001}97727496C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014970882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:28.039{8B6011A9-B3BF-6155-D637-02000000F001}97727496C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014970873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:28.039{8B6011A9-B3BF-6155-D637-02000000F001}97727496C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014970870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:28.039{8B6011A9-B3BF-6155-D637-02000000F001}97727496C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014970861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:28.037{8B6011A9-B3BF-6155-D637-02000000F001}97727496C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014970860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:28.037{8B6011A9-B3BF-6155-D637-02000000F001}97727496C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x800000000000000014971274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.998{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014971273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.998{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014971270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.996{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014971268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.994{8B6011A9-51EB-6143-0B00-00000000F001}6327124C:\Windows\system32\lsass.exe{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014971267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.994{8B6011A9-51EB-6143-0B00-00000000F001}6327124C:\Windows\system32\lsass.exe{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014971264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:29.994{8B6011A9-B3C1-6155-D937-02000000F001}6996C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014971262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.994{8B6011A9-B3C1-6155-D937-02000000F001}6996C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014971261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:29.993{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014971260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:29.993{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014971259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:29.993{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014971258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:29.993{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014971253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.990{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014971192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.977{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014971190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.977{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014971189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.977{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014971178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.975{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014971169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.974{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014971168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.974{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014971167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.974{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014971166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.973{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014971164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.973{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014971163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.973{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014971162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.972{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014971161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.972{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014971159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.972{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014971157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.971{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014971156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.971{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014971154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.971{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014971152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.971{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014971149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.970{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014971147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.970{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014971144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.969{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014971143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.969{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014971141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.969{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014971138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.968{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014971137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.968{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014971136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.968{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014971135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.967{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 10341000x800000000000000014971133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.967{8B6011A9-B3BC-6155-CE37-02000000F001}94246376C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B3C1-6155-D937-02000000F001}6996C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000014971132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.967{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 154100x800000000000000014971131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.967{8B6011A9-B3C1-6155-D937-02000000F001}6996C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014971130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.967{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014971129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.966{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014971128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.966{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014971127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.965{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014971126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.965{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 12241200x800000000000000014971125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:29.964{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014971124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.964{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014971123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:29.964{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014971122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.964{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014971121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.964{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014971120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.963{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014971119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.963{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014971118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.963{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014971117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.962{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014971116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.962{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014971115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.962{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014971114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.962{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014971113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.959{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014971112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.959{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000007200169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000844D1E8) 154100x800000000000000014971111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.959{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 534500x800000000000000014971428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:30.302{8B6011A9-B3BF-6155-D237-02000000F001}9560C:\Windows\winhlp32.exe 734700x800000000000000014971422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:30.262{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014971421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:30.261{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014971411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:30.001{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014971383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:30.000{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 734700x800000000000000014971356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.997{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014971328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.993{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014971310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:30.014{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014971304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.989{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014971285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:30.012{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014971284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:30.012{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 12241200x800000000000000014971282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:30.001{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014971281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:30.001{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014971280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:30.001{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014971279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:30.001{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014971278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:29.999{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014971277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:29.999{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014971276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:29.999{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014971275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:29.999{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014971456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.998{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014971455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.998{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014971454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.998{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014971453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.998{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014971452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.998{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014971451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.997{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014971450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.997{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014971449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.996{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014971448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.996{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014971447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.996{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014971446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.993{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014971445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.993{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000007360169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000844D1E8) 154100x800000000000000014971444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.993{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 354300x800000000000000014971443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:46.490{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local50515-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 534500x800000000000000014971667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.085{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exe 734700x800000000000000014971658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.056{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 734700x800000000000000014971637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.054{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 10341000x800000000000000014971614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.059{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014971613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.059{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014971612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.059{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014971611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.059{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014971610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.058{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014971609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.058{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014971608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.058{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014971607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.058{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014971606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.058{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014971605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.058{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014971604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.058{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014971603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.058{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014971602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.057{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014971601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.057{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014971600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.057{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014971599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.057{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 18141800x800000000000000014971597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-30 12:55:32.055{8B6011A9-B3BC-6155-CE37-02000000F001}9424\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014971588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.047{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 734700x800000000000000014971563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.040{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 10341000x800000000000000014971544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.042{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014971543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.042{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014971542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.042{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014971541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.042{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014971540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.041{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014971539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.041{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014971538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.041{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 22542200x800000000000000014971537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:47.326{8B6011A9-B3C1-6155-D837-02000000F001}7516snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 10341000x800000000000000014971536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.041{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014971535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.041{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014971534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.041{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014971533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.041{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014971532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.041{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014971530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.030{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 11241100x800000000000000014971529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.039{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014971528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.038{8B6011A9-B3BC-6155-CE37-02000000F001}9424ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014971526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.036{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014971525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.036{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014971523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.036{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014971522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.036{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014971521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.036{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014971520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.036{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014971519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.036{8B6011A9-B3BC-6155-CE37-02000000F001}94247392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014971513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.027{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 734700x800000000000000014971493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.029{8B6011A9-B3BC-6155-CE37-02000000F001}9424C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 534500x800000000000000014971490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.012{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exe 734700x800000000000000014971489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.008{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014971488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.008{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014971487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.008{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014971486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.007{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014971485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.007{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014971484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.007{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014971483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.007{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014971482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.007{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014971481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.006{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014971480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.006{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014971479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.006{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014971478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.006{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014971477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.006{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014971476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.005{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014971475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.005{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014971474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.005{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014971473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.005{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014971472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.004{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014971471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.004{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014971470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.004{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014971469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.003{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014971468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.003{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014971467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.003{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014971466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.002{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014971465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.002{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014971464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.002{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014971463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.002{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014971462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.001{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014971461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.001{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014971460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.001{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014971459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:32.000{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014971458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.999{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014971457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:31.999{8B6011A9-B3C3-6155-DA37-02000000F001}6772C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 534500x800000000000000014971825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.651{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exe 23542300x800000000000000014971824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.649{8B6011A9-B3CE-6155-DB37-02000000F001}7964ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\wgpaqwnuqgvpvuuvqmeeey.vbsMD5=2FCC53839A07381C433BEBE1F3BD1B7F,SHA256=71F0A43E515536C7786776AEAEDB1087E4675D4E7EDC83B36BC89327CF2571DDfalsetrue 734700x800000000000000014971823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.647{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014971822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.646{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014971821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.646{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014971820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.644{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014971819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.643{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014971818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.643{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014971817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.643{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014971816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.642{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014971815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.642{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014971814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.642{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014971813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.641{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014971812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.640{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014971811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.640{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014971810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:42.639{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014971809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.639{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014971808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.638{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014971807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.638{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014971806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.636{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014971805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.635{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014971804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.635{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014971803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.635{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014971802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.634{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014971801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.634{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014971800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.633{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014971799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.632{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014971798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.631{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014971797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.630{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014971796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:42.630{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014971795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:42.630{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\WScript.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014971794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.629{8B6011A9-51ED-6143-0C00-00000000F001}8526532C:\Windows\system32\svchost.exe{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014971793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.628{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014971792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.628{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014971791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.628{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014971790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.627{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014971789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.625{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014971788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.624{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014971787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.623{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014971786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.623{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014971785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.623{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014971784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.623{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014971783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.622{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014971782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.622{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014971781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.622{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014971780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.622{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014971779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.621{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014971778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.621{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014971777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.621{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014971776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.621{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014971775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.620{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014971774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.620{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014971773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.620{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014971772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.620{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014971771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.619{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014971770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.618{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014971769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.618{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 534500x800000000000000014971768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.617{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exe 734700x800000000000000014971767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.617{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014971766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.617{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014971765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.617{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014971764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.617{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014971763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.616{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014971762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.616{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014971761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.615{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014971760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.615{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x800000000000000014971759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:42.615{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000014971758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:42.615{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 734700x800000000000000014971757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.615{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014971756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.614{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014971755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.613{8B6011A9-B3C1-6155-D837-02000000F001}75165268C:\Windows\winhlp32.exe{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014971754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.614{8B6011A9-B3CE-6155-DB37-02000000F001}7964C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\2\wgpaqwnuqgvpvuuvqmeeey.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 13241300x800000000000000014971753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:42.610{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014971752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:42.610{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014971751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:42.610{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014971750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:42.610{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014971749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:42.609{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014971748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:42.601{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList 734700x800000000000000014971747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.600{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 12241200x800000000000000014971746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:42.600{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\RegisteredApplications 12241200x800000000000000014971745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:42.600{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKLM\SOFTWARE\RegisteredApplications 13241300x800000000000000014971744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 12:55:42.600{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFileBinary Data 12241200x800000000000000014971743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:42.600{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids 12241200x800000000000000014971742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:42.600{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x800000000000000014971741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.598{8B6011A9-51ED-6143-0C00-00000000F001}8526532C:\Windows\system32\svchost.exe{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014971740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.596{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014971739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 12:55:42.595{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014971738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.590{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014971737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.588{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014971736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.588{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014971735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.587{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 10341000x800000000000000014971734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.586{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014971733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.586{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014971732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.586{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014971731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.585{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 11241100x800000000000000014971730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 12:55:42.584{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\wgpaqwnuqgvpvuuvqmeeey.vbs2021-09-30 12:55:42.584 12241200x800000000000000014971729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-09-30 12:55:42.583{8B6011A9-B3C1-6155-D837-02000000F001}7516C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014977006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.943{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014977005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.943{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014977004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.942{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014976993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.824{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 734700x800000000000000014976967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.811{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 734700x800000000000000014976940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.809{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014976915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.809{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014976890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.808{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 13241300x800000000000000014976865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.812{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014976862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.812{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014976861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.808{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 13241300x800000000000000014976856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.812{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014976853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.812{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014976848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.812{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014976844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.812{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x800000000000000014976842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.810{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014976841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.810{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014976840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.810{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014976839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.810{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014976838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.810{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014976837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.810{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014976835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.810{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014976834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.810{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014976833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.810{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014976832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.810{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014976831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.810{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014976830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.810{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014976829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.810{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014976818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.791{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014976789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.781{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000014976773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.792{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014976761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.760{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 734700x800000000000000014976734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.752{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 734700x800000000000000014976708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.751{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000014976683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.750{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014976659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.741{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 12241200x800000000000000014976641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.760{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014976640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.760{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014976639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.760{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014976638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.760{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014976637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.760{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014976636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.760{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014976635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.760{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014976634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.758{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014976633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.757{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014976632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.755{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014976631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.755{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014976630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.754{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014976628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.753{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014976627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.753{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014976626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.753{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014976625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.753{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014976624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.753{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014976623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.753{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014976622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.753{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014976621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.752{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014976620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.752{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014976619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.752{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 13241300x800000000000000014976618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.752{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014976617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:58.752{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014976616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.751{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014976615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.751{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014976614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.750{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014976613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.749{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014976612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.749{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014976611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.747{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014976610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.747{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014976609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.746{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014976608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.743{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014976607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.742{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014976605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.721{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014976604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.721{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014976603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.720{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014976602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.705{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014976601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.704{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014976600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.702{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014976599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.702{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014976598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.702{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014976597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.701{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014976596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.701{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014976595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.701{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014976594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.701{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014976593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.700{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014976592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.700{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014976591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.696{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000014976590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.695{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014976589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.695{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014976588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.694{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014976587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.694{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014976586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.694{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014976585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.692{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014976584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.692{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014976583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.692{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014976582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.692{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014976581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.690{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014976580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.689{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014976579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.688{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014976578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.688{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014976577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.687{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014976576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.686{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014976575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.686{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014976574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:58.686{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014976573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.685{8B6011A9-51ED-6143-0C00-00000000F001}8528904C:\Windows\system32\svchost.exe{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014976572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.684{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014976571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.684{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014976570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.684{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014976569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.683{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014976568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.681{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000014976567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.680{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014976566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.680{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014976565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.679{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014976564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.679{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014976563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.679{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014976562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.679{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014976561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.679{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014976560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.678{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014976559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.678{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014976558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.678{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014976557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.678{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014976556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.677{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014976555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.677{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014976554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.677{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014976553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.677{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014976552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.676{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014976551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.675{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014976550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.675{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014976549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.675{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000014976548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.674{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014976547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.673{8B6011A9-B0F1-6155-7237-02000000F001}12528384C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014976546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:58.673{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\remcos.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000014977681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.835{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014977677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.832{8B6011A9-B50B-6155-0538-02000000F001}4760C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014977675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.831{8B6011A9-B50B-6155-0538-02000000F001}4760C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014977625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.808{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000014977624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.807{8B6011A9-B50B-6155-0438-02000000F001}96724692C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B50B-6155-0538-02000000F001}4760C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014977623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.806{8B6011A9-B50B-6155-0538-02000000F001}4760C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 734700x800000000000000014977622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.803{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014977621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.802{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000014977620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.793{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014977619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.792{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014977618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.792{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014977617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.790{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014977585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.774{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014977584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.772{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014977583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.771{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014977582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.770{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000014977581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.769{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014977580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.769{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014977579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.769{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014977578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.768{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 734700x800000000000000014977575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.489{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014977574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.489{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014977573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.488{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014977570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.374{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000014977569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.362{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014977568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.362{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014977567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.362{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014977566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.362{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014977565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.361{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000014977564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.361{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014977563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.361{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014977562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.360{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014977561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.360{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014977560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.360{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014977559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.360{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014977558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.360{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014977557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.360{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014977556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.360{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014977555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.360{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014977554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.360{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014977553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.360{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014977552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.360{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014977551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.359{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014977550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.358{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014977549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.358{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014977548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.358{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000014977547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.346{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014977546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.346{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014977545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.337{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014977544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.336{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000014977543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.336{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014977542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.336{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014977541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.336{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014977540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.336{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014977539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.336{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014977538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.336{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014977537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.336{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014977536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.333{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014977535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.333{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000014977534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.331{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014977533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.331{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014977532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.330{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014977530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.329{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014977529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.329{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014977528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.329{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014977527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.329{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014977526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.329{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014977525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.329{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014977524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.329{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014977523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.328{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014977522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.328{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014977521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.328{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 13241300x800000000000000014977520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.328{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014977519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:00:59.328{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014977518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.328{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000014977517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.327{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014977516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.327{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000014977515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.327{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014977514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.326{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014977513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.326{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014977512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.326{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014977511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.325{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000014977510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.322{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014977509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.322{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014977508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.318{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014977507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.317{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014977506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.316{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014977505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.316{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014977504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.316{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014977503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.315{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014977502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.314{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014977501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.313{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014977500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.310{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014977499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.310{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014977498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.310{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014977497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.310{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014977496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.309{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014977495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.309{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014977494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.309{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014977493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.308{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014977492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.307{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014977491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.307{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014977490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.306{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014977489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.305{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014977488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.305{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014977487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.305{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014977486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.303{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014977485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.303{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014977484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.302{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014977483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.302{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014977482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.301{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014977481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.301{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014977480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.300{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014977479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.299{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014977478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.298{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014977477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.297{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014977476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.297{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014977475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.297{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014977474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.296{8B6011A9-51ED-6143-0C00-00000000F001}8528904C:\Windows\system32\svchost.exe{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014977473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.295{8B6011A9-51ED-6143-1600-00000000F001}13249284C:\Windows\System32\svchost.exe{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014977472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.295{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014977471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.295{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014977470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.294{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014977469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.292{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014977468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.291{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014977467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.290{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014977466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.290{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014977465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.290{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014977464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.289{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014977463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.289{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014977462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.289{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014977461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.288{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014977460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.288{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014977459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.288{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014977458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.287{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014977457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.287{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014977456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.287{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 534500x800000000000000014977455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.287{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exe 734700x800000000000000014977454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.287{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014977453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.286{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014977451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.286{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014977449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.285{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014977448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.284{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014977447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.283{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014977446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.282{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014977445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.282{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014977444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.282{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014977443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.281{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014977442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.281{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014977441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.281{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014977440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.280{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014977439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.280{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014977438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.279{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014977437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.279{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014977436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.278{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014977435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.278{8B6011A9-B50A-6155-0238-02000000F001}90564900C:\Windows\System32\WScript.exe{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014977434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.277{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\remcos.vbs" 734700x800000000000000014977433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.274{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014977432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.273{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014977431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.268{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014977178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.189{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014977126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.187{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014977098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.185{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014977072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.185{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x800000000000000014977040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.184{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 12241200x800000000000000014977014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.184{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014977012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:00:59.184{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014977011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:00:59.183{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 22542200x800000000000000014977693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:16.657{8B6011A9-B50B-6155-0438-02000000F001}9672paste.ee0::ffff:172.67.68.88;::ffff:104.26.4.223;::ffff:104.26.5.223;C:\Windows\SysWOW64\wscript.exe 22542200x800000000000000014977692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:16.101{8B6011A9-B50A-6155-0238-02000000F001}9056paste.ee0::ffff:172.67.68.88;::ffff:104.26.4.223;::ffff:104.26.5.223;C:\Windows\System32\wscript.exe 354300x800000000000000014977691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:15.026{8B6011A9-B50A-6155-0238-02000000F001}9056C:\Windows\System32\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local50668-false172.67.68.88-443https 734700x800000000000000014977858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.866{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 13241300x800000000000000014977855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:01:01.865{8B6011A9-B50D-6155-0738-02000000F001}7340C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014977853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.865{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014977852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.865{8B6011A9-B50D-6155-0738-02000000F001}7340C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014977851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.864{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 12241200x800000000000000014977840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:01.853{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014977839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:01.853{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014977838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:01.853{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014977837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:01.853{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014977836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.853{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014977835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.853{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 12241200x800000000000000014977834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:01.852{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014977833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:01.852{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014977832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:01.852{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014977831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.852{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014977829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.852{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014977827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.851{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014977823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.851{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014977820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.850{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014977815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.849{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014977814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.849{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014977810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:01:01.848{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014977809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:01.848{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014977807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:01:01.848{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014977806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:01.848{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014977804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.848{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014977795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.845{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014977793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.844{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014977792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.844{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014977791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.844{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014977790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.844{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014977789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.844{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014977788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.844{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014977787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.843{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014977786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.843{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014977784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.843{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014977783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.842{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014977782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.842{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014977781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.842{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014977779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.841{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014977777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.841{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014977776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.841{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014977774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.840{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014977772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.840{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014977769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.840{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014977767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.839{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014977765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.839{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014977763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.838{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014977762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.838{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014977760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.838{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014977758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.838{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014977756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.837{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014977755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.837{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014977753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.837{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000014977752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.836{8B6011A9-B50B-6155-0438-02000000F001}96722008C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B50D-6155-0738-02000000F001}7340C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014977751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.836{8B6011A9-B50D-6155-0738-02000000F001}7340C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 734700x800000000000000014977750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.836{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014977749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.836{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014977748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.836{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014977747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.834{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014977746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.834{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014977745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.833{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014977744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:01.833{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014977743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:01.833{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014977742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.833{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014977741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.833{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014977740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.833{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014977739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.832{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014977738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.832{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014977737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.832{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014977736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.831{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014977735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.831{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014977734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.831{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014977733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.827{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014977732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.827{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005A60169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000007441058) 154100x800000000000000014977731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:01.828{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 354300x800000000000000014977728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:15.580{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local50669-false172.67.68.88-443https 734700x800000000000000014977861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:02.101{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014977860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:02.099{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 13241300x800000000000000014977974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:01:03.892{8B6011A9-B50F-6155-0938-02000000F001}8068C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014977972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.892{8B6011A9-B50F-6155-0938-02000000F001}8068C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014977954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.879{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exe 734700x800000000000000014977939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.875{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014977934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.874{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014977933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.874{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014977932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.874{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014977931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.873{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014977930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.873{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014977929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.873{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014977928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.873{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014977927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.873{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014977926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.873{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014977925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.872{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014977923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.872{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014977922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.872{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014977921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.871{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014977919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.871{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014977917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.871{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014977916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.870{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014977914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.870{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014977912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.870{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014977910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.869{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014977907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.868{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014977905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.868{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014977903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.868{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014977902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.868{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014977899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.867{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014977897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.867{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014977896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.867{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014977895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.866{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014977893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.866{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 10341000x800000000000000014977892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.866{8B6011A9-B50B-6155-0438-02000000F001}96724860C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B50F-6155-0938-02000000F001}8068C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014977891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.866{8B6011A9-B50F-6155-0938-02000000F001}8068C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 734700x800000000000000014977890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.866{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014977889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.865{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014977888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.864{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014977887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.864{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014977886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.863{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014977885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:03.863{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014977884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.863{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014977883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:03.863{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014977882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.863{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014977881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.862{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014977880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.862{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014977879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.862{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014977878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.861{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014977877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.861{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014977876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.861{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014977875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.860{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014977874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.858{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014977873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.858{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005C70169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000807EEE0) 154100x800000000000000014977872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:03.858{8B6011A9-B50F-6155-0838-02000000F001}7708C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 22542200x800000000000000014977871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:19.184{8B6011A9-B50D-6155-0638-02000000F001}5020snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 354300x800000000000000014977870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:18.335{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local50672-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 534500x800000000000000014978080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.956{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014978079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.936{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014978078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.936{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014978077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.936{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014978076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.936{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014978075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.936{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014978074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.936{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014978073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.935{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014978072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.935{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014978071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.935{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014978070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.935{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014978069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.935{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014978068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.935{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014978067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.934{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014978066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.934{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014978065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.934{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014978064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.934{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014978063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.933{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000014978062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-30 13:01:05.933{8B6011A9-B50B-6155-0438-02000000F001}9672\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014978061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.932{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000014978060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.932{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000014978059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.929{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014978058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.929{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014978057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.929{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014978056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.928{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014978055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.928{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014978054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.928{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014978053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.928{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014978052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.927{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014978051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.927{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014978050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.927{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014978049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.927{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014978048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.927{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014978047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.926{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000014978046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.926{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014978045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.926{8B6011A9-B50B-6155-0438-02000000F001}9672ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014978044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.924{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014978043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.924{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014978042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.924{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014978041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.923{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014978040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.923{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014978039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.923{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014978038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.923{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014978037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.920{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 534500x800000000000000014978036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.920{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exe 734700x800000000000000014978035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.919{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014978034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.918{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 734700x800000000000000014978033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.916{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014978032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.915{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014978031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.915{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014978030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.915{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014978029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.915{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014978028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.915{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014978027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.915{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014978026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.914{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014978025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.914{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014978024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.914{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014978023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.914{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014978022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.913{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014978021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.913{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014978020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.913{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014978019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.912{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014978018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.912{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014978017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.912{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014978016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.912{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014978015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.911{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014978014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.911{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014978013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.910{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014978012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.910{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014978011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.910{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014978010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.910{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014978009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.909{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014978008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.909{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014978007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.909{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014978006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.909{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014978005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.908{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014978004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.908{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014978003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.908{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014978002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.907{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014978001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.906{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014978000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.906{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014977999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.905{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014977998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.905{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014977997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.905{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014977996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.905{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014977995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.904{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014977994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.904{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014977993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.904{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014977992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.903{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014977991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.903{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014977990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.901{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014977989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.900{8B6011A9-B50B-6155-0438-02000000F001}96728760C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000007270169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000807EEC8) 154100x800000000000000014977988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:05.901{8B6011A9-B511-6155-0A38-02000000F001}7232C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B50B-6155-0438-02000000F001}9672C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 534500x800000000000000014978422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.198{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exe 23542300x800000000000000014978421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.196{8B6011A9-B516-6155-0F38-02000000F001}7688ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\fwhatsnnrhy.vbsMD5=2FCC53839A07381C433BEBE1F3BD1B7F,SHA256=71F0A43E515536C7786776AEAEDB1087E4675D4E7EDC83B36BC89327CF2571DDfalsetrue 734700x800000000000000014978420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.195{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014978419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.194{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014978418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.193{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014978417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.191{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014978416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.191{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014978415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.190{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014978414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.190{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014978413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.190{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014978412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.190{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014978411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.189{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014978410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.189{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014978409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.188{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014978408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.188{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014978407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:10.187{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014978406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.186{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014978405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.186{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014978404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.185{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014978403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.183{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014978402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.183{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014978401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.183{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014978400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.182{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014978399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.181{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014978398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.181{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014978397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.180{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014978396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.179{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014978395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.178{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014978394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.178{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014978393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:10.177{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014978392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:10.177{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\WScript.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014978391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.176{8B6011A9-51ED-6143-0C00-00000000F001}8528904C:\Windows\system32\svchost.exe{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014978390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.175{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014978389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.175{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014978388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.175{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014978387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.174{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014978386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.172{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014978385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.171{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014978384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.171{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014978383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.170{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014978382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.170{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014978381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.170{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014978380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.170{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014978379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.169{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014978378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.169{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014978377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.169{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014978376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.169{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014978375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.168{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014978374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.168{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014978373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.168{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014978372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.168{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014978371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.168{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014978370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.167{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014978369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.167{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014978368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.166{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014978367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.166{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014978366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.165{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014978365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.164{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 534500x800000000000000014978364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.164{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exe 734700x800000000000000014978363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.164{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014978362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.164{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014978361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.164{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014978360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.163{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014978359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.163{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014978358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.162{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014978357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.162{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x800000000000000014978356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:10.162{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000014978355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:10.162{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 734700x800000000000000014978354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.162{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014978353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.161{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014978352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.161{8B6011A9-B50D-6155-0638-02000000F001}50207508C:\Windows\winhlp32.exe{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014978351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.161{8B6011A9-B516-6155-0F38-02000000F001}7688C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\2\fwhatsnnrhy.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 13241300x800000000000000014978350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:01:10.158{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014978349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:01:10.158{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014978348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:01:10.157{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014978347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:01:10.157{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014978346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:10.157{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014978345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:10.149{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList 734700x800000000000000014978344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.148{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 12241200x800000000000000014978343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:10.148{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\RegisteredApplications 12241200x800000000000000014978342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:10.148{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKLM\SOFTWARE\RegisteredApplications 13241300x800000000000000014978341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:01:10.148{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFileBinary Data 12241200x800000000000000014978340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:10.148{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids 12241200x800000000000000014978339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:10.147{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x800000000000000014978338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.145{8B6011A9-51ED-6143-0C00-00000000F001}8528904C:\Windows\system32\svchost.exe{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014978337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.144{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014978336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:01:10.143{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014978335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.138{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014978334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.136{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014978333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.136{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014978332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.135{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 10341000x800000000000000014978331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.134{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014978330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.134{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014978329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.134{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014978328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.133{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 11241100x800000000000000014978327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:01:10.132{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\fwhatsnnrhy.vbs2021-09-30 13:01:10.132 12241200x800000000000000014978326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-09-30 13:01:10.131{8B6011A9-B50D-6155-0638-02000000F001}5020C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014981089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.965{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014981088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.964{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014981087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.962{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014981086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.961{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014981085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.961{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014981084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.961{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014981083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.961{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000014981082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.960{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014981079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.718{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014981078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.718{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014981077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.717{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014981074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.590{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000014981073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.580{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014981072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.580{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014981071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.580{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014981070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.580{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014981069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.580{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014981068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.579{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014981067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.579{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014981066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.578{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014981065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.578{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014981064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.578{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014981063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.578{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014981062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.578{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014981061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.578{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014981060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.578{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014981059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.578{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014981058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.578{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014981057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.578{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014981056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.578{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014981055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.578{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014981054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.577{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014981053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.577{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014981052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.576{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014981051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.576{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014981050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.576{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014981049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.559{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014981048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.559{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014981047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.550{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014981046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.550{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014981045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.549{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.549{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.549{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.549{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.549{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.549{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.549{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.547{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014981037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.547{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014981036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.545{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014981035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.545{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014981034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.545{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014981032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.544{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014981031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.543{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014981030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.543{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014981029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.543{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014981028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.543{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014981027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.543{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014981026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.543{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014981025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.543{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 13241300x800000000000000014981024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.543{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014981023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.543{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014981022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.543{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000014981021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.542{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014981020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:15.542{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014981019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.542{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014981018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.542{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000014981017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.542{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014981016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.541{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014981015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.535{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014981014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.534{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014981013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.534{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014981012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.532{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014981011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.532{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014981010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.531{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014981009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.528{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014981008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.527{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014981007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.527{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014981006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.527{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014981005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.526{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014981004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.526{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014981003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.524{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014981002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.523{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014981001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.521{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014981000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.521{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014980999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.521{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014980998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.521{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014980997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.521{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014980996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.520{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014980995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.520{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014980994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.520{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014980993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.519{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014980992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.519{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000014980991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.518{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014980990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.518{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014980989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.517{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014980988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.517{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014980987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.517{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014980986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.515{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014980985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.515{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014980984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.515{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014980983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.515{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014980982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.514{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014980981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.513{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014980980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.512{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014980979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.512{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014980978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.511{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014980977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.510{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014980976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.510{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014980975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:15.510{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014980974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.509{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014980973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.508{8B6011A9-51ED-6143-1600-00000000F001}13249284C:\Windows\System32\svchost.exe{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014980972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.508{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014980971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.507{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014980970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.507{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014980969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.505{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000014980968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.504{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014980967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.504{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014980966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.503{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014980965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.503{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014980964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.503{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014980963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.503{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014980962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.502{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014980961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.502{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014980960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.502{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014980959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.502{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014980958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.502{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014980957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.501{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014980956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.501{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014980955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.501{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014980954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.500{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014980953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.499{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014980952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.499{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014980951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.498{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014980950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.498{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000014980949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.497{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014980948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.497{8B6011A9-B0F1-6155-7237-02000000F001}12527856C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014980947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:15.497{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\remcos.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000014981426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.599{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014981422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.596{8B6011A9-B5D0-6155-2B38-02000000F001}9320C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014981420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.595{8B6011A9-B5D0-6155-2B38-02000000F001}9320C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014981371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.572{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000014981369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.571{8B6011A9-B5D0-6155-2A38-02000000F001}77564128C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B5D0-6155-2B38-02000000F001}9320C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014981368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.571{8B6011A9-B5D0-6155-2B38-02000000F001}9320C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 734700x800000000000000014981367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.567{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014981366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.566{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000014981365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.557{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014981364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.557{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014981363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.556{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014981362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.555{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014981328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.538{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014981327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.536{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014981326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.535{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014981325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.534{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000014981324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.533{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014981323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.533{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014981322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.533{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014981321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.532{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 734700x800000000000000014981318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.254{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014981317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.254{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014981316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.253{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014981311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.130{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000014981310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.119{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014981309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.119{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014981308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.119{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014981307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.118{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014981306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.117{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000014981305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.117{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014981304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.117{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014981303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.117{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014981302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.117{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014981301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.117{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014981300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.117{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014981299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.117{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014981298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.116{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014981297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.116{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014981296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.116{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014981295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.116{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014981294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.116{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014981293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.116{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014981292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.116{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014981291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.115{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014981290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.114{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014981289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.114{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000014981288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.103{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014981287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.103{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014981286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.094{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014981285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.093{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000014981284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.093{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.093{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.093{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.093{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.093{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.093{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.093{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.091{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014981276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.090{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000014981275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.088{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014981274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.088{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014981273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.088{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014981271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.086{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014981270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.086{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014981269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.086{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014981268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.086{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014981267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.086{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014981266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.086{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014981265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.086{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014981264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.086{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014981263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.086{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014981262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.085{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 13241300x800000000000000014981261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.085{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014981260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:16.085{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014981259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.085{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 734700x800000000000000014981258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.084{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000014981257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.084{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014981256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.084{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014981255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.084{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014981254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.083{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014981253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.083{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014981252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.082{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000014981251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.080{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014981250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.079{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014981249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.075{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014981248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.074{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014981247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.073{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014981246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.073{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014981245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.073{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014981244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.073{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014981243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.071{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014981242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.070{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014981241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.068{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014981240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.067{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014981239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.067{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014981238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.067{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014981237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.067{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014981236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.066{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014981235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.066{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014981234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.065{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014981233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.065{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014981232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.064{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014981231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.063{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014981230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.063{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014981229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.062{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014981228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.062{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014981227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.060{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014981226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.060{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014981225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.060{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014981224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.060{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014981223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.059{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014981222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.058{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014981221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.057{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014981220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.057{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014981219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.056{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014981218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.055{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014981217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.055{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014981216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.055{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014981215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.054{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014981214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.053{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014981213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.053{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014981212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.052{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014981211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.052{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014981210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.049{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014981209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.048{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014981208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.048{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014981207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.048{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014981206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.047{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014981205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.047{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014981204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.047{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014981203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.047{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014981202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.046{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014981201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.046{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014981200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.046{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014981199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.045{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014981198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.045{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014981197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.045{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014981196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.044{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 534500x800000000000000014981195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.044{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exe 734700x800000000000000014981194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.044{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014981193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.044{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014981192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.043{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014981191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.042{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014981190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.042{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014981189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.041{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014981188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.041{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014981187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.040{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014981186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.040{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014981185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.040{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014981184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.039{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014981183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.039{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014981182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.038{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014981181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.038{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014981180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.038{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014981179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.037{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014981178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.037{8B6011A9-B5CF-6155-2838-02000000F001}11727836C:\Windows\System32\WScript.exe{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014981177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.037{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\remcos.vbs" 734700x800000000000000014981176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.033{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014981175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:16.032{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014981174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:16.028{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 354300x800000000000000014981437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:32.341{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local50769-false172.67.68.88-443https 354300x800000000000000014981436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:31.797{8B6011A9-B5CF-6155-2838-02000000F001}1172C:\Windows\System32\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local50768-false172.67.68.88-443https 22542200x800000000000000014981434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:33.418{8B6011A9-B5D0-6155-2A38-02000000F001}7756paste.ee0::ffff:172.67.68.88;::ffff:104.26.4.223;::ffff:104.26.5.223;C:\Windows\SysWOW64\wscript.exe 22542200x800000000000000014981433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:32.874{8B6011A9-B5CF-6155-2838-02000000F001}1172paste.ee0::ffff:172.67.68.88;::ffff:104.26.4.223;::ffff:104.26.5.223;C:\Windows\System32\wscript.exe 734700x800000000000000014981575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.633{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014981574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.632{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014981572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.631{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 13241300x800000000000000014981569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:18.630{8B6011A9-B5D2-6155-2D38-02000000F001}3484C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014981567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.630{8B6011A9-B5D2-6155-2D38-02000000F001}3484C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 12241200x800000000000000014981560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:18.621{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:18.621{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:18.621{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:18.621{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014981555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.621{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014981553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.620{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 12241200x800000000000000014981551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:18.620{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:18.620{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014981549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:18.620{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014981547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.619{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014981546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.619{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014981545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.619{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014981544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.618{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014981542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.617{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014981536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.616{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014981535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.616{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014981531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:18.616{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014981530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:18.616{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014981528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:18.616{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014981527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:18.616{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014981525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.615{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014981513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.612{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014981509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.611{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014981508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.611{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014981507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.611{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014981506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.611{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014981505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.611{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014981504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.611{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014981503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.611{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014981502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.610{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014981501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.610{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014981499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.610{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014981498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.609{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014981497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.609{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014981496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.609{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014981494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.609{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014981492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.608{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014981491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.608{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014981489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.608{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014981487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.607{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014981484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.607{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014981481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.606{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014981479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.606{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014981478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.606{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014981477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.605{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014981474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.605{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014981472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.605{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014981471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.604{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014981470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.604{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014981468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.604{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 10341000x800000000000000014981467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.604{8B6011A9-B5D0-6155-2A38-02000000F001}77566968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B5D2-6155-2D38-02000000F001}3484C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014981466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.604{8B6011A9-B5D2-6155-2D38-02000000F001}3484C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 734700x800000000000000014981465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.603{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014981464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.603{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014981463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.602{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014981462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.602{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014981461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.601{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014981460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:18.601{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014981459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.601{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014981458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:18.601{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014981457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.600{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014981456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.600{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014981455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.600{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014981454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.599{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014981453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.599{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014981452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.598{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014981451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.598{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014981450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.598{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014981449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.596{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014981448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.595{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005110169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000676DD8) 154100x800000000000000014981447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:18.595{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 10341000x800000000000000014981795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.715{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+ca9c|C:\Windows\system32\winsrv.DLL+e3bc|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014981794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.715{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+e279|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014981792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.712{8B6011A9-B5D4-6155-3238-02000000F001}62206732C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014981791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.712{8B6011A9-B5D4-6155-3238-02000000F001}62206732C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014981790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.712{8B6011A9-B5D4-6155-3238-02000000F001}62206732C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014981788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.712{8B6011A9-B5D4-6155-3238-02000000F001}62206732C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014981787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.711{8B6011A9-B5D4-6155-3238-02000000F001}62206732C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014981786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.711{8B6011A9-B5D4-6155-3238-02000000F001}62206732C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014981782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.710{8B6011A9-B5D4-6155-3238-02000000F001}62206732C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014981781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.710{8B6011A9-B5D4-6155-3238-02000000F001}62206732C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000014981739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.694{8B6011A9-B5D4-6155-3238-02000000F001}6220C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 84C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x800000000000000014981733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.690{8B6011A9-B5D4-6155-3138-02000000F001}80886256C:\Windows\System32\svchost.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014981732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.690{8B6011A9-B5D4-6155-3138-02000000F001}80886256C:\Windows\System32\svchost.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014981731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.690{8B6011A9-B5D4-6155-3138-02000000F001}80886256C:\Windows\System32\svchost.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014981678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:04:20.679{8B6011A9-B5D4-6155-2F38-02000000F001}1476C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014981675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.679{8B6011A9-B5D4-6155-2F38-02000000F001}1476C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 10341000x800000000000000014981612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.655{8B6011A9-B5D4-6155-2E38-02000000F001}59724820C:\Windows\winhlp32.exe{8B6011A9-B5D4-6155-3038-02000000F001}5256C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|UNKNOWN(0000000076FDEF6C)|UNKNOWN(000000007705CF02)|UNKNOWN(000000007701F19A)|UNKNOWN(000000007701E602)|UNKNOWN(000000007701E24A)|UNKNOWN(00000000770167D2)|UNKNOWN(0000000076FD7FC0) 10341000x800000000000000014981608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.653{8B6011A9-B5D0-6155-2A38-02000000F001}77561340C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B5D4-6155-2F38-02000000F001}1476C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014981607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.653{8B6011A9-B5D4-6155-2F38-02000000F001}1476C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 734700x800000000000000014981606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.651{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014981605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.650{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014981604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:20.650{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014981603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:04:20.650{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014981602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.650{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014981601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.650{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014981600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.649{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014981599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.649{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014981598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.649{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014981597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.648{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014981596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.648{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014981595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.648{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014981594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.646{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014981593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.645{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005330169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000676DC0) 154100x800000000000000014981592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:20.646{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 22542200x800000000000000014981591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:35.955{8B6011A9-B5D2-6155-2C38-02000000F001}9228snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 534500x800000000000000014981936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.736{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014981935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.717{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014981934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.717{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014981933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.717{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014981932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.717{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014981931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.716{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014981930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.716{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014981929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.716{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014981928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.716{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014981927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.716{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014981926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.716{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014981925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.716{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014981924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.716{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014981923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.715{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014981922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.715{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014981921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.715{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014981920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.715{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014981919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.714{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000014981918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-30 13:04:22.713{8B6011A9-B5D0-6155-2A38-02000000F001}7756\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014981917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.713{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000014981916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.712{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000014981915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.709{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014981914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.709{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014981913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.709{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014981912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.709{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014981911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.708{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014981910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.708{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014981909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.708{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014981908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.708{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014981907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.708{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014981906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.708{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014981905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.708{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014981904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.707{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014981903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.707{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000014981902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.706{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014981901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.706{8B6011A9-B5D0-6155-2A38-02000000F001}7756ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014981900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.704{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014981899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.704{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014981898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.704{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014981897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.704{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014981896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.704{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014981895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.704{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014981894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.704{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 534500x800000000000000014981893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.701{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exe 734700x800000000000000014981892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.701{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000014981891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.699{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014981890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.699{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 734700x800000000000000014981889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.697{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014981888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.696{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014981887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.696{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014981886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.696{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014981885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.695{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014981884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.695{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014981883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.695{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014981882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.695{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014981881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.695{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014981880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.694{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014981879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.694{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014981878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.694{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014981877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.694{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014981876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.693{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014981875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.693{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014981874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.693{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014981873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.692{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014981872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.692{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014981871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.692{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014981870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.691{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014981869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.691{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014981868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.690{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014981867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.690{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014981866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.690{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014981865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.690{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014981864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.690{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014981863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.689{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014981862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.689{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014981861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.689{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014981860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.688{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014981859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.688{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014981858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.687{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014981857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.687{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014981856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.686{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014981855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.686{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014981854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.686{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014981853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.686{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014981852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.685{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014981851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.685{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014981850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.685{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014981849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.684{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014981848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.684{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014981847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.684{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014981846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.681{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014981845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.681{8B6011A9-B5D0-6155-2A38-02000000F001}77564308C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000054B0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000065A8D8) 154100x800000000000000014981844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.681{8B6011A9-B5D6-6155-3338-02000000F001}1152C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B5D0-6155-2A38-02000000F001}7756C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 534500x800000000000000014981835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:04:22.356{8B6011A9-B5D4-6155-2E38-02000000F001}5972C:\Windows\winhlp32.exe 734700x800000000000000014984572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.780{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014984571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.780{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014984570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.779{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014984565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.664{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000014984562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.651{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014984561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.651{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014984560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.651{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014984559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.650{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014984558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.649{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000014984557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.649{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014984556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.649{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014984555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.649{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014984554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.649{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014984553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.649{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014984552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.649{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014984551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.648{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014984550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.648{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014984549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.648{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014984548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.648{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014984547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.648{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014984546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.648{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014984545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.648{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014984544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.648{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014984543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.647{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014984542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.646{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014984541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.646{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000014984538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.634{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014984537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.633{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014984536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.623{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014984535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.623{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000014984534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.622{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.622{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.622{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.622{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.622{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.622{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.622{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.620{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014984526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.619{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000014984525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.618{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014984524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.617{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014984523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.617{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014984521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.616{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014984520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.616{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014984519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.616{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014984518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.616{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014984517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.616{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014984516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.616{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014984515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.616{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014984514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.615{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014984513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.615{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014984512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.615{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 13241300x800000000000000014984511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.614{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014984510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.614{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014984509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.614{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000014984508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.614{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014984507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.614{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000014984506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.613{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014984505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.613{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014984504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.612{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014984503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.612{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014984502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.611{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000014984501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.609{8B6011A9-51EB-6143-0B00-00000000F001}6327124C:\Windows\system32\lsass.exe{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014984500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.609{8B6011A9-51EB-6143-0B00-00000000F001}6327124C:\Windows\system32\lsass.exe{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014984497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.604{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014984496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.603{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014984495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.602{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014984494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.602{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014984493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.602{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014984492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.601{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014984491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.599{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014984490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.598{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014984489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.596{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014984488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.596{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014984487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.596{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014984486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.595{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014984485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.595{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014984484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.595{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014984483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.595{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014984482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.594{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014984481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.593{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014984480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.593{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014984479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.592{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014984478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.592{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014984477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.591{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014984476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.591{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014984475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.589{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014984474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.589{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014984473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.589{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014984472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.588{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014984471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.588{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014984470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.587{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014984469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.586{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014984468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.586{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014984467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.584{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014984466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.584{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014984465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.583{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014984464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.583{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014984463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.583{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014984462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.581{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014984461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.581{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014984460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.581{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014984459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.581{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014984458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.578{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014984457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.577{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014984456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.577{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014984455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.577{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014984454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.576{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014984453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.576{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014984452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.576{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014984451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.575{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014984450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.575{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014984449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.575{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014984448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.575{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014984447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.574{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014984446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.574{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014984445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.574{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014984444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.573{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 534500x800000000000000014984443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.573{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exe 734700x800000000000000014984442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.573{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014984441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.573{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014984440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.573{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014984439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.571{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014984438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.571{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014984437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.570{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014984436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.570{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014984435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.570{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014984434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.569{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014984433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.569{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014984432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.569{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014984431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.568{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014984430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.568{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014984429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.568{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014984428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.567{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014984427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.566{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014984426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.566{8B6011A9-B651-6155-4638-02000000F001}67048840C:\Windows\System32\WScript.exe{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014984425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.566{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\remcos.vbs" 734700x800000000000000014984424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.563{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014984423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.562{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014984422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.557{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014984337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.495{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014984336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.493{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014984335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.491{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014984334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.491{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014984333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.490{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014984332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.490{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014984331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.490{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000014984330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.489{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014984324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.246{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014984323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.246{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014984322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.245{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014984321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.127{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000014984320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.113{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014984319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.113{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014984318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.113{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014984317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.113{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014984316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.113{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014984315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.113{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014984314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.112{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014984313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.112{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014984312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.111{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014984311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.111{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014984310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.111{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014984309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.111{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014984308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.111{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014984307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.111{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014984306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.111{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014984305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.111{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014984304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.111{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014984303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.111{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014984302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.111{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014984301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.111{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014984300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.110{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014984299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.110{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014984298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.109{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014984297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.109{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014984296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.095{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014984295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.095{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014984294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.083{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014984277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.065{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014984276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.065{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.065{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.065{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.065{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.065{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.065{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.065{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014984269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.063{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014984268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.062{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014984267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.060{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014984266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.060{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014984264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.059{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014984260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.058{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014984259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.058{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014984258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.058{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014984257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.058{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014984256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.058{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014984255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.058{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014984254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.058{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014984253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.057{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 13241300x800000000000000014984252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.057{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014984251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.057{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014984250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.057{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000014984248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.056{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014984247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:25.056{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014984245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.056{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014984244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.056{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000014984243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.056{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014984242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.055{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014984241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.055{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014984240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.054{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014984239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.053{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014984236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.051{8B6011A9-51EB-6143-0B00-00000000F001}6327124C:\Windows\system32\lsass.exe{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014984235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.051{8B6011A9-51EB-6143-0B00-00000000F001}6327124C:\Windows\system32\lsass.exe{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014984234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.051{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014984233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.048{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014984231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.047{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014984230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.046{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014984229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.046{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014984228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.046{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014984227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.045{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014984225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.043{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014984224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.041{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014984223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.039{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014984222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.039{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014984221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.038{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014984220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.038{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014984219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.038{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014984218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.038{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014984217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.037{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014984216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.037{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014984215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.036{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014984214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.036{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000014984213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.035{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014984212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.035{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014984211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.034{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014984210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.034{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014984209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.033{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014984208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.032{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014984207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.032{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014984206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.031{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014984204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.031{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014984203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.030{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014984202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.030{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014984200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.028{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014984197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.027{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014984196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.026{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014984192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.026{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014984191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.025{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014984190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:25.025{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014984188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.024{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014984187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.023{8B6011A9-51ED-6143-1600-00000000F001}13249284C:\Windows\System32\svchost.exe{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014984186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.023{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014984185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.023{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014984183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.022{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014984181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.020{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000014984180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.019{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014984179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.018{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014984178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.018{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014984176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.018{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014984175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.018{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014984173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.017{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014984172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.017{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014984171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.017{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014984169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.017{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014984168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.016{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014984166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.016{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014984165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.016{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014984164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.016{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014984162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.015{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014984161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.015{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014984159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.014{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014984158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.014{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014984157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.013{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014984156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.013{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000014984154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.012{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014984153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.012{8B6011A9-B0F1-6155-7237-02000000F001}12524548C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014984152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:25.012{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\remcos.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000014984680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.126{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014984676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:26.123{8B6011A9-B652-6155-4938-02000000F001}5256C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014984674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.122{8B6011A9-B652-6155-4938-02000000F001}5256C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014984625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.098{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000014984623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.097{8B6011A9-B651-6155-4838-02000000F001}50046220C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B652-6155-4938-02000000F001}5256C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014984622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.097{8B6011A9-B652-6155-4938-02000000F001}5256C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 734700x800000000000000014984621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.093{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014984620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:26.092{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000014984619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:26.083{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014984618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:26.083{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014984617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.082{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014984616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.081{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014984584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.064{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014984583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.063{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014984582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.061{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014984581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.060{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000014984580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:26.060{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014984579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:26.060{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014984578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.059{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014984577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:26.059{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 22542200x800000000000000014984743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:42.950{8B6011A9-B651-6155-4838-02000000F001}5004paste.ee0::ffff:104.26.4.223;::ffff:172.67.68.88;::ffff:104.26.5.223;C:\Windows\SysWOW64\wscript.exe 22542200x800000000000000014984742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:42.409{8B6011A9-B651-6155-4638-02000000F001}6704paste.ee0::ffff:104.26.4.223;::ffff:172.67.68.88;::ffff:104.26.5.223;C:\Windows\System32\wscript.exe 10341000x800000000000000014985051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.196{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+ca9c|C:\Windows\system32\winsrv.DLL+e3bc|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014985050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.196{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+e279|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014985048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.194{8B6011A9-B654-6155-5138-02000000F001}79327972C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.194{8B6011A9-B654-6155-5138-02000000F001}79327972C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.194{8B6011A9-B654-6155-5138-02000000F001}79327972C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.193{8B6011A9-B654-6155-5138-02000000F001}79327972C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.193{8B6011A9-B654-6155-5138-02000000F001}79327972C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.193{8B6011A9-B654-6155-5138-02000000F001}79327972C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.192{8B6011A9-B654-6155-5138-02000000F001}79327972C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.192{8B6011A9-B654-6155-5138-02000000F001}79327972C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000014984995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.176{8B6011A9-B654-6155-5138-02000000F001}7932C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9628 -s 80C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x800000000000000014984989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.172{8B6011A9-B654-6155-5038-02000000F001}84564320C:\Windows\System32\svchost.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014984988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.172{8B6011A9-B654-6155-5038-02000000F001}84564320C:\Windows\System32\svchost.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014984987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.172{8B6011A9-B654-6155-5038-02000000F001}84564320C:\Windows\System32\svchost.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014984958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:28.162{8B6011A9-B654-6155-4E38-02000000F001}8592C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014984955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.161{8B6011A9-B654-6155-4E38-02000000F001}8592C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 10341000x800000000000000014984892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.138{8B6011A9-B654-6155-4D38-02000000F001}96286160C:\Windows\winhlp32.exe{8B6011A9-B654-6155-4F38-02000000F001}9404C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|UNKNOWN(0000000076FDEF6C)|UNKNOWN(000000007705CF02)|UNKNOWN(000000007701F19A)|UNKNOWN(000000007701E602)|UNKNOWN(000000007701E24A)|UNKNOWN(00000000770167D2)|UNKNOWN(0000000076FD7FC0) 10341000x800000000000000014984888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.136{8B6011A9-B651-6155-4838-02000000F001}500410044C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B654-6155-4E38-02000000F001}8592C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014984887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.137{8B6011A9-B654-6155-4E38-02000000F001}8592C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 734700x800000000000000014984886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.133{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014984885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:28.133{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014984884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:28.133{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014984883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.133{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014984882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.133{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014984881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.133{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014984880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.132{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014984879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.132{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014984878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.132{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 354300x800000000000000014984873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:41.875{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local50839-false104.26.4.223-443https 354300x800000000000000014984872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:41.335{8B6011A9-B651-6155-4638-02000000F001}6704C:\Windows\System32\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local50838-false104.26.4.223-443https 734700x800000000000000014984871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.131{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014984870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.131{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014984869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.131{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014984868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.128{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014984867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.128{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005370169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000079CB3B8) 154100x800000000000000014984866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:28.128{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 13241300x800000000000000014985179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:06:30.202{8B6011A9-B656-6155-5338-02000000F001}5232C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014985177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.202{8B6011A9-B656-6155-5338-02000000F001}5232C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014985157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.188{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exe 734700x800000000000000014985142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.184{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014985139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.183{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014985138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.183{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014985137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.183{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014985136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.183{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014985135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.183{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014985134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.183{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014985133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.183{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014985132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.182{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014985130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.182{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014985129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.182{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014985128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.181{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014985127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.181{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014985125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.181{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014985123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.181{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014985122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.180{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014985121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.180{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014985119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.180{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014985116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.179{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014985114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.179{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014985111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.178{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014985109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.178{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014985108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.178{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014985106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.177{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014985103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.177{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014985102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.177{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014985101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.176{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014985099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.176{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000014985098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.176{8B6011A9-B651-6155-4838-02000000F001}500410156C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B656-6155-5338-02000000F001}5232C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014985097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.176{8B6011A9-B656-6155-5338-02000000F001}5232C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 734700x800000000000000014985096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.176{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014985095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.175{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014985094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.175{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014985093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.174{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014985092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.174{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 12241200x800000000000000014985091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:30.173{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014985090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.173{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014985089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:06:30.173{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014985088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.173{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014985087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.172{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014985086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.172{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014985085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.172{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014985084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.171{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014985083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.171{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014985082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.171{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014985081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.170{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014985080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.170{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014985079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.168{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014985078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.167{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005580169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000079CB508) 154100x800000000000000014985077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:30.168{8B6011A9-B656-6155-5238-02000000F001}9080C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 534500x800000000000000014985199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:31.176{8B6011A9-B654-6155-4D38-02000000F001}9628C:\Windows\winhlp32.exe 534500x800000000000000014985383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.282{8B6011A9-B658-6155-5438-02000000F001}4408C:\Windows\winhlp32.exe 10341000x800000000000000014985381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.278{8B6011A9-B658-6155-5738-02000000F001}95323524C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.275{8B6011A9-B658-6155-5738-02000000F001}95323524C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.275{8B6011A9-B658-6155-5738-02000000F001}95323524C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.275{8B6011A9-B658-6155-5738-02000000F001}95323524C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 534500x800000000000000014985376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.275{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014985372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.274{8B6011A9-B658-6155-5738-02000000F001}95323524C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.274{8B6011A9-B658-6155-5738-02000000F001}95323524C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000014985329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.254{8B6011A9-B658-6155-5738-02000000F001}9532C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 40C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-B658-6155-5438-02000000F001}4408C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x800000000000000014985327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.252{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014985326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.252{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014985325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.252{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014985324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.252{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014985323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.251{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014985322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.251{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014985321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.251{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014985320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.251{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014985319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.251{8B6011A9-B654-6155-5038-02000000F001}84564320C:\Windows\System32\svchost.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014985318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.251{8B6011A9-B654-6155-5038-02000000F001}84564320C:\Windows\System32\svchost.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014985317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.251{8B6011A9-B654-6155-5038-02000000F001}84564320C:\Windows\System32\svchost.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014985316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.251{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014985315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.251{8B6011A9-B654-6155-5038-02000000F001}84564320C:\Windows\System32\svchost.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1441C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+7050|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014985314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.250{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014985313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.250{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014985312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.250{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014985311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.250{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014985310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.249{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014985309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.249{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014985308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.249{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014985306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.248{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000014985305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-30 13:06:32.248{8B6011A9-B651-6155-4838-02000000F001}5004\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 10341000x800000000000000014985304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.247{8B6011A9-B658-6155-5638-02000000F001}99369020C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x800000000000000014985303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.247{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 10341000x800000000000000014985302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.247{8B6011A9-B658-6155-5638-02000000F001}99369020C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.247{8B6011A9-B658-6155-5638-02000000F001}99369020C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.247{8B6011A9-B658-6155-5638-02000000F001}99369020C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x800000000000000014985298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.247{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000014985297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.247{8B6011A9-B658-6155-5638-02000000F001}99369020C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.247{8B6011A9-B658-6155-5638-02000000F001}99369020C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.245{8B6011A9-B658-6155-5638-02000000F001}99369020C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.245{8B6011A9-B658-6155-5638-02000000F001}99369020C:\Windows\SysWOW64\WerFault.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014985289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.243{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014985288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.243{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014985287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.243{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014985286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.243{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014985285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.242{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014985284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.242{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014985283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.242{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014985282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.242{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014985281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.241{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014985280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.241{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014985279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.241{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014985278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.241{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014985276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.240{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000014985275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.240{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014985273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.240{8B6011A9-B651-6155-4838-02000000F001}5004ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014985265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.236{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014985263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.236{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014985262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.236{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014985261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.236{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014985260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.236{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014985259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.235{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014985257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.235{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014985242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.232{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000014985238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.230{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014985235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.230{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 154100x800000000000000014985224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.226{8B6011A9-B658-6155-5638-02000000F001}9936C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 28C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-B658-6155-5438-02000000F001}4408C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x800000000000000014985222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.224{8B6011A9-B654-6155-5038-02000000F001}84564320C:\Windows\System32\svchost.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014985221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.224{8B6011A9-B654-6155-5038-02000000F001}84564320C:\Windows\System32\svchost.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014985220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.223{8B6011A9-B654-6155-5038-02000000F001}84564320C:\Windows\System32\svchost.exe{8B6011A9-B658-6155-5438-02000000F001}4408winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014985219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.223{8B6011A9-B658-6155-5438-02000000F001}44085840winhlp32.exe{8B6011A9-B658-6155-5538-02000000F001}5776winhlp32.exe0x1fffffUNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000) 734700x800000000000000014985218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.214{8B6011A9-B658-6155-5438-02000000F001}4408C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014985217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.214{8B6011A9-B658-6155-5438-02000000F001}4408C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014985216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.214{8B6011A9-B658-6155-5438-02000000F001}4408C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014985215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.211{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B658-6155-5438-02000000F001}4408C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014985214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.211{8B6011A9-B651-6155-4838-02000000F001}50045944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B658-6155-5438-02000000F001}4408C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000058A0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000079CB4A8) 154100x800000000000000014985213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:06:32.211{8B6011A9-B658-6155-5438-02000000F001}4408C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B651-6155-4838-02000000F001}5004C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 10341000x800000000000000015004053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:27:43.999{8B6011A9-51ED-6143-0C00-00000000F001}8526532C:\Windows\system32\svchost.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015003965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:27:43.994{8B6011A9-51ED-6143-0C00-00000000F001}8526532C:\Windows\system32\svchost.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000015013615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:53.495{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Temp\winhlp32.exe2021-09-30 13:37:53.495 734700x800000000000000015014040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.803{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\HelpPaneProxy.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Help ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationhelppaneproxy.dllMD5=E2AEBCDD66035AAB459B129946BEC8B8,SHA256=155BADD79618A0E3F14C64D4CAFCC69107B933603CCDDAE4D16CBD1F847495F0trueMicrosoft WindowsValid 734700x800000000000000015014017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.782{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dciman32.dll10.0.14393.0 (rs1_release.160715-1616)DCI ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdciman32MD5=550BA2C78144D79BD4CE88F9BE77BE9F,SHA256=295446F96E53BEF65A1DECCDC457DD61F56252EC39FD3CAF5DDE8834FFBB8785trueMicrosoft WindowsValid 734700x800000000000000015013991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.775{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msi.dll5.0.14393.4530Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=8E3C6A8EC029C91825AF395AC25D42AF,SHA256=7C2F9B37E01F41DF2B9958F7F647EF7F1AD6BC45839644D30F20FFA4BE4060EDtrueMicrosoft WindowsValid 10341000x800000000000000015013964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.805{8B6011A9-51ED-6143-0C00-00000000F001}8526532C:\Windows\system32\svchost.exe{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015013963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.800{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 10341000x800000000000000015013962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.793{8B6011A9-51ED-6143-1600-00000000F001}13249800C:\Windows\System32\svchost.exe{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015013961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.793{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015013960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.792{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015013959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.784{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015013958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.780{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015013957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.779{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=A6D357B5D2E7F2465F6FA882AA821E28,SHA256=94E388860E6CF3C8A2B4DA25C23D8B54A88C49E6CB7664B8A164FFC2B9316E7AtrueMicrosoft WindowsValid 734700x800000000000000015013947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.741{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValid 734700x800000000000000015013922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.739{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ddraw.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)Microsoft DirectDrawMicrosoft® Windows® Operating SystemMicrosoft CorporationDDraw.dllMD5=6EEDA6E373766904488926822E777536,SHA256=7AC8AECB6E830534DFDF7F7AFA8A8CA8A8E1A4DE753B6A315233B28A0E6D90D4trueMicrosoft WindowsValid 734700x800000000000000015013904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.743{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015013903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.742{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015013893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.725{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=B65F2AFD9AA2BE2DBE0E1CE72FF7F75C,SHA256=3B44113F845FD512530AADAA6CC437028E635742D92E28AF57B9F32BA958B697trueMicrosoft WindowsValid 734700x800000000000000015013875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.726{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015013865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.711{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_e8ebe5c0ed79850d\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=DB9EEA6E4C32315294D22E0C86077356,SHA256=7A60A27BB6178CDF126AFB37DE5AD77F687C33B4326624962CEE26F7361ADC6AtrueMicrosoft WindowsValid 734700x800000000000000015013847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.706{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015013842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.693{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValid 734700x800000000000000015013821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.703{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015013820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.699{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015013819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.694{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015013816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.685{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015013815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.685{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015013814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.680{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015013813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.680{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015013812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.677{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015013811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.635{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015013810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.633{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015013806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.476{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015013805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.468{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015013804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.464{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015013803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.463{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015013802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.453{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015013801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.442{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015013800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.440{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015013799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.433{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015013798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.417{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015013797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.414{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015013796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.412{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015013795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.409{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015013794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.408{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015013787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.395{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\AppPatch\AcSpecfc.dll10.0.14393.3115 (rs1_release_1.190708-1703)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=DFF7532E4CD772161528925D77EBAC54,SHA256=68B1FF190FD9601E1F441A0AA6D727618BE1A59099278B52178F4BB450E9D257trueMicrosoft WindowsValid 734700x800000000000000015013769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.402{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015013767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.401{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015013764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.381{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000015013763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.380{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015013762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.367{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015013761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.366{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015013760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.366{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015013759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.366{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015013758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.365{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015013757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.361{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015013756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.360{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015013729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.356{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015013702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.353{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 13241300x800000000000000015013696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:37:59.342{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4970F396-7FAD-4BF3-8537-BD003152505E}\AppIdC:\Temp\winhlp32.exe 734700x800000000000000015013690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.340{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015013689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.340{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015013687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.340{8B6011A9-51ED-6143-1200-00000000F001}6926620C:\Windows\System32\svchost.exe{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000015013686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:37:59.339{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\winhlp32.exeBinary Data 10341000x800000000000000015013684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.338{8B6011A9-51ED-6143-1200-00000000F001}6925840C:\Windows\System32\svchost.exe{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015013682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.334{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015013681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.334{8B6011A9-EF7D-6151-C8C2-01000000F001}86486824C:\Windows\explorer.exe{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015013680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:37:59.333{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Temp\winhlp32.exe" C:\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 534500x800000000000000015014547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:00.117{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exe 734700x800000000000000015014512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:00.071{8B6011A9-BDB7-6155-4F39-02000000F001}6000C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 13241300x800000000000000015015822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\UsnQWORD (0x00000000-0x7fadb708) 13241300x800000000000000015015821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\LanguageDWORD (0x00000409) 13241300x800000000000000015015820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\SizeQWORD (0x00000000-0x00002800) 13241300x800000000000000015015819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\AppxPackageRelativeId(Empty) 13241300x800000000000000015015818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\AppxPackageFullName(Empty) 13241300x800000000000000015015817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\BinProductVersion10.0.14393.0 13241300x800000000000000015015816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\LinkDate07/16/2016 01:43:49 13241300x800000000000000015015815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\ProductVersion10.0.14393.0 13241300x800000000000000015015814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\ProductNamemicrosoft® windows® operating system 13241300x800000000000000015015813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\BinaryTypepe32_i386 13241300x800000000000000015015812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\BinFileVersion10.0.14393.0 13241300x800000000000000015015811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\Version10.0.14393.0 (rs1_release.160715-1616) 13241300x800000000000000015015810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\Publishermicrosoft corporation 13241300x800000000000000015015809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\OriginalFileNamewinhlp32.exe 13241300x800000000000000015015808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\Namewinhlp32.exe 13241300x800000000000000015015807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\LongPathHashwinhlp32.exe|721fde2a90676b22 13241300x800000000000000015015806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\LowerCaseLongPathc:\temp\winhlp32.exe 13241300x800000000000000015015805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\FileId0000547d3d0772fbf36fb29c2b472928eff1fc76c176 13241300x800000000000000015015804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22\ProgramId0006179cb43535bdf349a0e15397a3401eb500000904 12241200x800000000000000015015803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:38:02.159{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe\REGISTRY\A\{f5805b66-a476-2e58-9068-eed3a743bd2e}\Root\InventoryApplicationFile\winhlp32.exe|721fde2a90676b22 13241300x800000000000000015015763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:38:02.117{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\winhlp32.exeBinary Data 734700x800000000000000015019209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.452{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 734700x800000000000000015019169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.446{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000015019135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.442{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015019096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.438{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 534500x800000000000000015019093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.475{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exe 734700x800000000000000015019061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.434{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015019039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.428{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015019014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.428{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015018986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.428{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 10341000x800000000000000015018962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.449{8B6011A9-51ED-6143-0C00-00000000F001}8526532C:\Windows\system32\svchost.exe{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\temp\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015018957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.427{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015018947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.447{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\HelpPaneProxy.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Help ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationhelppaneproxy.dllMD5=E2AEBCDD66035AAB459B129946BEC8B8,SHA256=155BADD79618A0E3F14C64D4CAFCC69107B933603CCDDAE4D16CBD1F847495F0trueMicrosoft WindowsValid 734700x800000000000000015018928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.427{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 10341000x800000000000000015018916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.443{8B6011A9-51ED-6143-1600-00000000F001}13249800C:\Windows\System32\svchost.exe{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\temp\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015018910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.443{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\temp\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015018906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.437{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dciman32.dll10.0.14393.0 (rs1_release.160715-1616)DCI ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdciman32MD5=550BA2C78144D79BD4CE88F9BE77BE9F,SHA256=295446F96E53BEF65A1DECCDC457DD61F56252EC39FD3CAF5DDE8834FFBB8785trueMicrosoft WindowsValid 734700x800000000000000015018896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.437{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015018895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.425{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015018880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.435{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=A6D357B5D2E7F2465F6FA882AA821E28,SHA256=94E388860E6CF3C8A2B4DA25C23D8B54A88C49E6CB7664B8A164FFC2B9316E7AtrueMicrosoft WindowsValid 734700x800000000000000015018879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.434{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msi.dll5.0.14393.4530Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=8E3C6A8EC029C91825AF395AC25D42AF,SHA256=7C2F9B37E01F41DF2B9958F7F647EF7F1AD6BC45839644D30F20FFA4BE4060EDtrueMicrosoft WindowsValid 734700x800000000000000015018878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.433{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015018877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.433{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValid 734700x800000000000000015018876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.433{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ddraw.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)Microsoft DirectDrawMicrosoft® Windows® Operating SystemMicrosoft CorporationDDraw.dllMD5=6EEDA6E373766904488926822E777536,SHA256=7AC8AECB6E830534DFDF7F7AFA8A8CA8A8E1A4DE753B6A315233B28A0E6D90D4trueMicrosoft WindowsValid 734700x800000000000000015018875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.432{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015018874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.429{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=B65F2AFD9AA2BE2DBE0E1CE72FF7F75C,SHA256=3B44113F845FD512530AADAA6CC437028E635742D92E28AF57B9F32BA958B697trueMicrosoft WindowsValid 734700x800000000000000015018873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.429{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_e8ebe5c0ed79850d\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=DB9EEA6E4C32315294D22E0C86077356,SHA256=7A60A27BB6178CDF126AFB37DE5AD77F687C33B4326624962CEE26F7361ADC6AtrueMicrosoft WindowsValid 734700x800000000000000015018857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.423{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015018855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.428{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015018846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.427{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValid 734700x800000000000000015018845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.427{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015018844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.426{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015018843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.426{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015018842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.426{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015018841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.425{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015018840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.424{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015018839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.424{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015018838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.424{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015018837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.424{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015018836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.423{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015018834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.423{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015018833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.423{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015018832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.422{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015018831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.422{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015018830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.422{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015018829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.422{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015018828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.421{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015018827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.421{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015018826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.421{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\AppPatch\AcSpecfc.dll10.0.14393.3115 (rs1_release_1.190708-1703)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=DFF7532E4CD772161528925D77EBAC54,SHA256=68B1FF190FD9601E1F441A0AA6D727618BE1A59099278B52178F4BB450E9D257trueMicrosoft WindowsValid 734700x800000000000000015018825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.419{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000015018824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.418{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015018823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.418{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015018822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.417{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015018821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.417{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015018820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.417{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015018819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.417{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015018818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.416{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015018817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.416{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015018816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.416{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015018815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.415{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015018814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.415{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015018813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.415{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exeC:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015018812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.414{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015018811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.413{8B6011A9-B0F1-6155-7237-02000000F001}12529616-{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+3c91c|C:\Windows\System32\shell32.dll+e2087|C:\Windows\System32\shell32.dll+e1fe5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000) 154100x800000000000000015018810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:38:33.414{8B6011A9-BDD9-6155-6039-02000000F001}6896C:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\temp\winhlp32.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000015027473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.964{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000015027472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.955{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000015027463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.952{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000015027462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.945{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000015027446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.950{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000015027444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.949{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000015027443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.949{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000015027442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.949{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000015027429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.699{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000015027398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.699{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000015027379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.697{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000015027358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.553{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000015027357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.540{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015027356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.540{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015027355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.540{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015027354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.540{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015027353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.539{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015027352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.539{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015027351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.539{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000015027350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.537{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015027349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.537{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015027348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.537{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015027347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.537{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015027346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.536{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015027345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.536{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015027344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.536{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015027343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.536{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015027342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.536{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015027341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.536{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015027340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.536{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015027339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.536{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015027338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.536{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015027337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.536{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000015027336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.535{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000015027335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.533{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000015027334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.531{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000015027333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.514{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015027332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.514{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000015027331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.500{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000015027321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.422{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000015027303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.433{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000015027302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.433{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015027301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.433{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015027300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.433{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015027299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.433{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015027298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.432{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015027297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.432{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015027296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.432{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015027286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.430{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015027284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.407{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000015027271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.430{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000015027266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.428{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015027265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.427{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015027264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.427{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015027262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.425{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015027261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.425{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015027260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.425{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015027259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.425{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015027258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.425{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015027257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.425{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015027256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.425{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015027255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.425{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 13241300x800000000000000015027254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.424{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015027253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.424{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000015027252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.424{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000015027251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.424{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015027250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:37.424{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015027249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.424{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015027248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.424{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000015027247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.424{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015027246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.423{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000015027245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.423{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000015027244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.421{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000015027243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.419{8B6011A9-51EB-6143-0B00-00000000F001}6327220C:\Windows\system32\lsass.exe{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015027242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.419{8B6011A9-51EB-6143-0B00-00000000F001}6327220C:\Windows\system32\lsass.exe{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015027241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.419{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000015027238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.412{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000015027237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.411{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000015027236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.410{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000015027235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.410{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000015027234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.410{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000015027233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.410{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000015027224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.391{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000015027194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.380{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000015027169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.376{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000015027143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.375{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000015027130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.387{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000015027128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.387{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000015027127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.386{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000015027126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.386{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000015027125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.386{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000015027124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.386{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000015027122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.385{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000015027121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.385{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000015027120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.384{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000015027118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.384{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000015027110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.383{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015027108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.373{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000015027100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.382{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000015027090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.382{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000015027089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.381{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000015027088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.381{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000015027086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.377{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000015027085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.377{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000015027080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.368{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000015027079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.367{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000015027078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.366{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000015027077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.366{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000015027076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.360{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015027075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:37.360{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000015027074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.360{8B6011A9-51ED-6143-0C00-00000000F001}8526532C:\Windows\system32\svchost.exe{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015027073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.359{8B6011A9-51ED-6143-1600-00000000F001}13246796C:\Windows\System32\svchost.exe{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015027072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.359{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015027071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.358{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000015027070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.358{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000015027059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.349{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 734700x800000000000000015027051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.355{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000015027044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.355{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000015027043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.354{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000015027042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.354{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000015027041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.354{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000015027040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.353{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000015027039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.353{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000015027037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.353{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000015027036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.353{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000015027035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.353{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000015027034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.352{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000015027033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.352{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015027032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.352{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000015027031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.351{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000015027030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.351{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000015027029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.351{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000015027028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.350{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000015027027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.349{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015027024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.349{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000015027023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.348{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015027022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.347{8B6011A9-B0F1-6155-7237-02000000F001}12524820C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015027021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:37.346{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000015028715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.699{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000015028686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.694{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 734700x800000000000000015028654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.680{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 10341000x800000000000000015028638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.698{8B6011A9-BFBE-6155-AA39-02000000F001}52046748C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BFBE-6155-AB39-02000000F001}8412C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015028637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.698{8B6011A9-BFBE-6155-AB39-02000000F001}8412C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 12241200x800000000000000015028635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.691{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000015028634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.681{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015028633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.681{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015028623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.645{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000015028605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.667{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000015028588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.638{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000015028545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.635{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000015028514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.634{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 734700x800000000000000015028484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.632{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000015028457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.629{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 12241200x800000000000000015028438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.633{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000015028437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.632{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000015028422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.344{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000015028389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.343{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015028365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.342{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000015028333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.223{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 734700x800000000000000015028307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.205{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 734700x800000000000000015028280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.202{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000015028253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.201{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 13241300x800000000000000015028234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:38.207{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015028232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:38.207{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015028231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:38.207{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015028230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:38.207{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015028225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.199{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 12241200x800000000000000015028205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.203{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015028204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.203{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015028203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.203{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015028202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.203{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015028201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.203{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015028200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.203{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015028199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.203{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015028198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.203{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015028197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.203{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015028196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.203{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015028195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.203{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015028194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.203{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015028192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.202{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015028185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.198{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 734700x800000000000000015028159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.183{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 12241200x800000000000000015028138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.183{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015028133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.168{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000015028104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.166{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000015028076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.162{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 12241200x800000000000000015028058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.165{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015028057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.165{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015028056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.165{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015028055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.165{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015028054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.165{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015028053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.165{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015028052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.165{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015028051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.163{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015028042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.138{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 13241300x800000000000000015028024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:38.157{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015028023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:38.156{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015028022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:38.156{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015028020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:38.155{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015028019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.154{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015028018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.154{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015028017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:38.154{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015028016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.154{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015028015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.154{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015028014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.154{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015028013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:38.154{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015028012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:38.154{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000015028011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.153{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000015028010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.153{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 13241300x800000000000000015028009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:38.153{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015028008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:38.153{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015028007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.152{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015028006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.152{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000015028005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.152{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015028004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.151{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000015028003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.151{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000015028002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.150{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000015028001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.149{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000015028000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.147{8B6011A9-51EB-6143-0B00-00000000F001}6327220C:\Windows\system32\lsass.exe{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015027999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.147{8B6011A9-51EB-6143-0B00-00000000F001}6327220C:\Windows\system32\lsass.exe{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015027998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.143{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000015027994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.141{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000015027981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.124{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000015027970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.140{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015027969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.140{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015027968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.140{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015027967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.140{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015027955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.118{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000015027928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.115{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000015027902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.112{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 734700x800000000000000015027884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.120{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015027880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.120{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015027864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.109{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000015027861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.120{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015027857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.119{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015027856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.119{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015027855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.119{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015027854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.118{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015027844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.104{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000015027822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.103{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 12241200x800000000000000015027801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.110{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015027800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.110{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015027798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.107{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000015027797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.105{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000015027796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.105{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000015027795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.105{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000015027794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.105{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000015027791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.098{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000015027790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.097{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015027789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.096{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000015027788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.096{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000015027787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.095{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015027786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.095{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000015027785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.094{8B6011A9-51ED-6143-0C00-00000000F001}8526532C:\Windows\system32\svchost.exe{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015027784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.093{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015027783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.093{8B6011A9-51ED-6143-1600-00000000F001}13246796C:\Windows\System32\svchost.exe{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015027782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.093{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015027781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.092{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015027769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.077{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 734700x800000000000000015027756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.090{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015027755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.088{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000015027754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.088{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015027753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.088{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015027752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.087{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015027751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.087{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015027749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.087{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015027748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.086{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015027747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.086{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015027746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.086{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015027745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.086{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015027744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.085{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015027743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.085{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015027742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.085{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015027741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.084{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015027740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.084{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 534500x800000000000000015027739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.083{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exe 734700x800000000000000015027738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.083{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015027736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.083{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015027711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.082{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015027709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.081{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015027708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.080{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015027707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.080{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015027706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.079{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015027705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.079{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015027704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.079{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015027702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.078{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015027701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.078{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015027700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.077{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015027699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.077{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000015027696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.076{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015027681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.075{8B6011A9-BFBD-6155-A839-02000000F001}69164228C:\Windows\System32\WScript.exe{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015027672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.073{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" 734700x800000000000000015027641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.068{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000015027640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:38.068{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000015027611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:38.062{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 22542200x800000000000000015028921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:55.526{8B6011A9-BFBE-6155-AA39-02000000F001}5204paste.ee0::ffff:172.67.68.88;::ffff:104.26.4.223;::ffff:104.26.5.223;C:\Windows\SysWOW64\wscript.exe 22542200x800000000000000015028920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:54.860{8B6011A9-BFBD-6155-A839-02000000F001}6916paste.ee0::ffff:172.67.68.88;::ffff:104.26.4.223;::ffff:104.26.5.223;C:\Windows\System32\wscript.exe 354300x800000000000000015028919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:54.454{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local60961-false172.67.68.88-443https 354300x800000000000000015028918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:53.784{8B6011A9-BFBD-6155-A839-02000000F001}6916C:\Windows\System32\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local60960-false172.67.68.88-443https 734700x800000000000000015028912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:39.078{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000015028911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:39.074{8B6011A9-BFBE-6155-AB39-02000000F001}8412C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000015028906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:39.075{8B6011A9-BFBE-6155-AB39-02000000F001}8412C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015029225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.101{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 534500x800000000000000015029197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.113{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exe 13241300x800000000000000015029194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:41.112{8B6011A9-BFC1-6155-AD39-02000000F001}7236C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015029192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.112{8B6011A9-BFC1-6155-AD39-02000000F001}7236C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000015029187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.108{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015029186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.107{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015029147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.085{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015029145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.085{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015029143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.085{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015029120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.084{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015029099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.088{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015029098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.088{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015029097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.088{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015029096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.087{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015029095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.083{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015029094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.083{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015029093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.083{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015029091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.082{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015029089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.082{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015029088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.082{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015029087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.082{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015029084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.081{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015029082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.081{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015029080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.081{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015029076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.080{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015029075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.080{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015029073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.079{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015029071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.079{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015029069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.079{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015029068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.078{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015029067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.078{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 10341000x800000000000000015029065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.078{8B6011A9-BFBE-6155-AA39-02000000F001}52045480C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BFC1-6155-AD39-02000000F001}7236C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000015029064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.078{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 154100x800000000000000015029063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.078{8B6011A9-BFC1-6155-AD39-02000000F001}7236C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015029062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.077{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015029057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.077{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015029051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.072{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 734700x800000000000000015029048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.077{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015029035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.076{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015029034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.075{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015029033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.075{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000015029032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:41.074{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015029031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:41.074{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015029030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.074{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015029029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.074{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015029027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.074{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015029026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.073{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015029025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.073{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015029024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.073{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015029022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.072{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015029020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.072{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000015029019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.069{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015029018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.069{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005900169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000031F93D8) 154100x800000000000000015029017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:41.068{8B6011A9-BFC1-6155-AC39-02000000F001}1704C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 13241300x800000000000000015029336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:46:43.138{8B6011A9-BFC3-6155-AF39-02000000F001}6504C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015029334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.138{8B6011A9-BFC3-6155-AF39-02000000F001}6504C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000015029316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.125{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exe 734700x800000000000000015029299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.121{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015029296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.120{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015029295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.120{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015029294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.120{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015029293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.119{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015029292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.119{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015029291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.119{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015029290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.119{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015029289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.119{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015029287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.118{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015029286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.118{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015029285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.118{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015029283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.118{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015029281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.117{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015029280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.117{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015029279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.117{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015029277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.116{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015029275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.116{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015029272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.116{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015029270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.115{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015029267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.115{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015029266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.114{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015029264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.114{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015029262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.114{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015029260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.114{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015029259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.113{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015029258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.113{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015029256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.113{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000015029255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.112{8B6011A9-BFBE-6155-AA39-02000000F001}520410232C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BFC3-6155-AF39-02000000F001}6504C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000015029254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.112{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 154100x800000000000000015029253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.112{8B6011A9-BFC3-6155-AF39-02000000F001}6504C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015029252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.112{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015029251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.112{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015029250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.111{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015029249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.110{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015029248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.110{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000015029247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:43.110{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000015029246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.110{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000015029245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:46:43.109{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015029244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.109{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015029243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.109{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015029242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.109{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015029241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.108{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015029240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.108{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015029239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.107{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015029238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.107{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015029237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.107{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015029236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.104{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015029235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.104{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005A30169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000031F93F0) 154100x800000000000000015029234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:43.104{8B6011A9-BFC3-6155-AE39-02000000F001}9700C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015029594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.191{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 534500x800000000000000015029573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.215{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exe 734700x800000000000000015029565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.190{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000015029536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.183{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000015029518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.196{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015029517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.196{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015029516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.196{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015029515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.196{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000015029513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.195{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015029512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.195{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015029511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.195{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000015029510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.194{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015029509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.194{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015029508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.194{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015029507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.194{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000015029506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.194{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000015029503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.193{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015029502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.193{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015029501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.193{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000015029500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.193{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000015029493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.176{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 18141800x800000000000000015029475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-30 13:46:45.190{8B6011A9-BFBE-6155-AA39-02000000F001}5204\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000015029473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.166{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000015029464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.164{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 10341000x800000000000000015029446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.178{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015029445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.178{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015029444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.177{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015029443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.177{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000015029442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.177{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015029441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.177{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015029440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.177{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000015029439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.177{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000015029438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.177{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015029437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.177{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015029436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.177{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000015029435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.176{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 11241100x800000000000000015029434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.174{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000015029433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.174{8B6011A9-BFBE-6155-AA39-02000000F001}5204ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000015029431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.171{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015029430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.171{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015029429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.171{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015029428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.171{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015029427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.171{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015029426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.171{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015029425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.171{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000015029419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.163{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000015029397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.160{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exe 734700x800000000000000015029396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.156{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015029395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.155{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015029394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.155{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015029393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.155{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015029392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.154{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015029391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.154{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015029390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.154{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015029389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.154{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015029388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.154{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015029387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.154{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015029386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.153{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015029385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.153{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015029384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.153{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015029383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.152{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015029382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.152{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015029381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.152{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015029380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.152{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015029379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.151{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015029378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.151{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015029377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.151{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015029376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.150{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015029375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.150{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015029374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.150{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015029373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.149{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015029372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.149{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015029371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.149{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015029370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.149{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015029369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.148{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015029368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.148{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015029367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.148{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015029366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.147{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015029365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.146{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015029364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.146{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015029363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.145{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015029362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.145{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015029361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.145{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015029360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.145{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015029359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.144{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015029358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.144{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015029357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.144{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015029356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.143{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015029355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.143{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015029354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.143{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015029353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.140{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015029352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.140{8B6011A9-BFBE-6155-AA39-02000000F001}52049328C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005BA0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000031F93F0) 154100x800000000000000015029351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:46:45.140{8B6011A9-BFC5-6155-B039-02000000F001}4592C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BFBE-6155-AA39-02000000F001}5204C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 10341000x800000000000000015033001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.998{8B6011A9-51ED-6143-0C00-00000000F001}8526532C:\Windows\system32\svchost.exe{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\temp\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015033000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.996{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\HelpPaneProxy.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Help ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationhelppaneproxy.dllMD5=E2AEBCDD66035AAB459B129946BEC8B8,SHA256=155BADD79618A0E3F14C64D4CAFCC69107B933603CCDDAE4D16CBD1F847495F0trueMicrosoft WindowsValid 734700x800000000000000015032999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.995{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 10341000x800000000000000015032998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.988{8B6011A9-51ED-6143-1600-00000000F001}13246796C:\Windows\System32\svchost.exe{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\temp\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015032997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.987{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\temp\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015032996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.987{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015032995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.982{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015032994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.982{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dciman32.dll10.0.14393.0 (rs1_release.160715-1616)DCI ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdciman32MD5=550BA2C78144D79BD4CE88F9BE77BE9F,SHA256=295446F96E53BEF65A1DECCDC457DD61F56252EC39FD3CAF5DDE8834FFBB8785trueMicrosoft WindowsValid 734700x800000000000000015032993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.981{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015032992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.981{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=A6D357B5D2E7F2465F6FA882AA821E28,SHA256=94E388860E6CF3C8A2B4DA25C23D8B54A88C49E6CB7664B8A164FFC2B9316E7AtrueMicrosoft WindowsValid 734700x800000000000000015032991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.980{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msi.dll5.0.14393.4530Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=8E3C6A8EC029C91825AF395AC25D42AF,SHA256=7C2F9B37E01F41DF2B9958F7F647EF7F1AD6BC45839644D30F20FFA4BE4060EDtrueMicrosoft WindowsValid 734700x800000000000000015032990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.952{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015032989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.951{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015032988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.951{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValid 734700x800000000000000015032987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.950{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ddraw.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)Microsoft DirectDrawMicrosoft® Windows® Operating SystemMicrosoft CorporationDDraw.dllMD5=6EEDA6E373766904488926822E777536,SHA256=7AC8AECB6E830534DFDF7F7AFA8A8CA8A8E1A4DE753B6A315233B28A0E6D90D4trueMicrosoft WindowsValid 734700x800000000000000015032986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.946{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015032985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.944{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=B65F2AFD9AA2BE2DBE0E1CE72FF7F75C,SHA256=3B44113F845FD512530AADAA6CC437028E635742D92E28AF57B9F32BA958B697trueMicrosoft WindowsValid 734700x800000000000000015032984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.940{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_e8ebe5c0ed79850d\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=DB9EEA6E4C32315294D22E0C86077356,SHA256=7A60A27BB6178CDF126AFB37DE5AD77F687C33B4326624962CEE26F7361ADC6AtrueMicrosoft WindowsValid 734700x800000000000000015032983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.939{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015032982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.939{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015032981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.939{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015032980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.939{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015032979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.939{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValid 734700x800000000000000015032978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.938{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015032977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.938{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015032976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.938{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015032975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.938{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015032974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.937{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015032973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.937{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015032972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.937{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015032971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.936{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015032970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.936{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015032969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.936{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015032968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.936{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015032967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.935{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015032966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.935{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015032965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.935{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015032964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.935{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015032963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.934{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015032962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.934{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015032961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.934{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015032960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.934{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015032959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.933{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015032958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.933{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015032957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.933{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015032956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.933{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\AppPatch\AcSpecfc.dll10.0.14393.3115 (rs1_release_1.190708-1703)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=DFF7532E4CD772161528925D77EBAC54,SHA256=68B1FF190FD9601E1F441A0AA6D727618BE1A59099278B52178F4BB450E9D257trueMicrosoft WindowsValid 734700x800000000000000015032955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.926{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000015032954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.925{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015032953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.925{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015032952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.924{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015032951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.924{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015032950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.924{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015032949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.923{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015032948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.923{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015032947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.923{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015032946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.923{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015032945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.922{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015032944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.922{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015032943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.922{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015032942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.920{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015032941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.920{8B6011A9-B0F1-6155-7237-02000000F001}12529616-{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+3c91c|C:\Windows\System32\shell32.dll+e2087|C:\Windows\System32\shell32.dll+e1fe5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000) 154100x800000000000000015032940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:50.920{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\temp\winhlp32.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 534500x800000000000000015033021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:51.032{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exe 734700x800000000000000015033002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:50:51.005{8B6011A9-C0BA-6155-D139-02000000F001}9068C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 10341000x800000000000000015034427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.999{8B6011A9-51ED-6143-1600-00000000F001}13246796C:\Windows\System32\svchost.exe{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015034426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.999{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015034425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.998{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000015034424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.998{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000015034423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.996{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000015034422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.995{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000015034421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.995{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000015034420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.994{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000015034419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.994{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000015034418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.994{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000015034417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.994{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000015034416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.993{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000015034415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.993{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000015034414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.993{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000015034413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.993{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000015034412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.993{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015034411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.992{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000015034410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.992{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000015034409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.992{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000015034408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.991{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000015034407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.990{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000015034406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.990{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015034405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.989{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015034404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.989{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000015034403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.988{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015034402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.988{8B6011A9-B0F1-6155-7237-02000000F001}12523484C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015034401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:16.987{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000015035230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.934{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000015035229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.933{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015035228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.932{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000015035223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.817{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000015035222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.802{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015035221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.802{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015035220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.802{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015035219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.802{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015035218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.801{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000015035217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.799{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015035216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.799{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015035215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.799{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015035214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.799{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015035213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.799{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015035212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.799{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015035211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.799{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015035210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.799{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015035209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.799{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015035208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.799{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015035207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.799{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015035206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.799{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015035205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.798{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015035204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.798{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000015035203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.797{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000015035202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.795{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000015035201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.794{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000015035200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.781{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015035199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.780{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000015035198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.766{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000015035197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.764{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000015035196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.764{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015035195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.763{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015035194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.763{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015035193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.763{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015035192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.763{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015035191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.763{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015035190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.763{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015035189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.761{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015035188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.760{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000015035187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.755{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015035186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.755{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015035185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.753{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015035183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.752{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015035182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.752{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015035181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.752{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015035180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.751{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015035179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.751{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015035178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.751{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015035177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.751{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015035176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.751{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015035175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.751{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000015035174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.750{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 13241300x800000000000000015035173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.750{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015035172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.750{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000015035171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.750{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000015035170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.750{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015035169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.749{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000015035168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.749{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015035167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.749{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000015035166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.748{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000015035165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.748{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000015035164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.747{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000015035163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.745{8B6011A9-51EB-6143-0B00-00000000F001}6328916C:\Windows\system32\lsass.exe{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015035162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.744{8B6011A9-51EB-6143-0B00-00000000F001}6328916C:\Windows\system32\lsass.exe{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015035161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.740{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000015035160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.739{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000015035159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.738{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015035158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.738{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015035157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.738{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015035156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.737{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015035155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.735{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000015035154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.723{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000015035153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.719{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015035152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.718{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015035151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.718{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015035150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.718{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015035149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.718{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015035148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.717{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015035147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.717{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015035146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.716{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000015035145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.714{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000015035142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.710{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000015035141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.708{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015035140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.707{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015035139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.707{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000015035138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.705{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000015035137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.703{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000015035136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.703{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000015035135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.703{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000015035134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.702{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000015035133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.701{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000015035132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.700{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000015035131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.696{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000015035130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.695{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015035129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.694{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000015035128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.693{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000015035127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.693{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015035126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.693{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000015035125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.692{8B6011A9-51ED-6143-0C00-00000000F001}8526532C:\Windows\system32\svchost.exe{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015035124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.691{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015035123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.691{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015035122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.690{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015035121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.690{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015035120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.687{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015035119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.686{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000015035118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.686{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015035117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.686{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015035116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.685{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015035115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.685{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015035114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.685{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015035113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.684{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015035112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.684{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015035111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.684{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015035110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.684{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015035109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.683{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015035108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.683{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015035107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.683{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015035106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.682{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 534500x800000000000000015035105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.682{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exe 734700x800000000000000015035104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.682{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015035103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.682{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015035102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.681{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015035101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.680{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015035100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.680{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015035099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.679{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015035098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.679{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015035097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.678{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015035096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.678{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015035095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.678{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015035094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.678{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015035093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.677{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015035092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.677{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015035091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.676{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015035090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.676{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000015035089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.675{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015035088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.675{8B6011A9-C0D4-6155-DB39-02000000F001}66169896C:\Windows\System32\WScript.exe{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015035087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.674{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" 734700x800000000000000015035086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.670{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000015035085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.670{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000015035035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.664{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000015034855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.566{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000015034830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.556{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000015034791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.553{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000015034761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.551{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x800000000000000015034733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.550{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 12241200x800000000000000015034715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.550{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000015034713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.550{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000015034712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.546{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000015034709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.290{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000015034708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.290{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000015034707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.288{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000015034695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.142{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 734700x800000000000000015034669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.127{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 734700x800000000000000015034643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.123{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 13241300x800000000000000015034616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.128{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015034614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.122{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 13241300x800000000000000015034612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.128{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015034608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.128{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015034603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.128{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015034598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.128{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015034596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.128{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x800000000000000015034595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.125{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015034594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.125{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015034592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.125{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015034591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.125{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015034590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.125{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015034589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.125{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015034588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.125{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015034587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.125{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015034586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.125{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015034585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.125{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015034584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.125{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015034583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.124{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015034582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.124{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015034580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.124{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000015034576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.119{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 734700x800000000000000015034548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.105{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 12241200x800000000000000015034527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.105{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015034525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.091{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000015034524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.087{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000015034523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.087{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015034522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.087{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015034521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.087{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015034520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.087{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015034519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.087{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015034518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.087{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015034517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.087{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015034516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.085{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015034515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.084{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000015034514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.077{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015034513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.077{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015034512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.077{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015034510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.076{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015034509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.076{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015034508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.076{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015034507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.076{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015034506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.076{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015034505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.076{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015034504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.076{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015034503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.075{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 13241300x800000000000000015034502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.075{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015034501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.075{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000015034500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.075{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000015034499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.075{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015034498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:17.075{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015034497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.074{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015034496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.074{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000015034495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.074{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015034494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.074{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000015034493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.073{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000015034492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.073{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000015034491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.072{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000015034490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.070{8B6011A9-51EB-6143-0B00-00000000F001}6328916C:\Windows\system32\lsass.exe{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015034489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.070{8B6011A9-51EB-6143-0B00-00000000F001}6328916C:\Windows\system32\lsass.exe{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015034488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.070{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000015034487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.066{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000015034486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.065{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000015034485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.064{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000015034484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.064{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000015034483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.064{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000015034482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.064{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000015034481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.062{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000015034480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.047{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000015034479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.043{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000015034478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.043{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000015034477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.042{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000015034476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.042{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000015034475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.042{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000015034474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.042{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000015034473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.041{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000015034472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.041{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000015034471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.040{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000015034470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.039{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000015034469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.038{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015034468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.038{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000015034467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.037{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000015034466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.037{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000015034465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.037{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000015034464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.035{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000015034463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.032{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000015034462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.031{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000015034461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.018{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000015034460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.016{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000015034459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.015{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000015034453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.007{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 734700x800000000000000015034434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.009{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000015034433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.009{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000015034432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.007{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 12241200x800000000000000015034430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.002{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015034429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:17.002{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000015034428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:17.001{8B6011A9-51ED-6143-0C00-00000000F001}8526532C:\Windows\system32\svchost.exe{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015035338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.658{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000015035334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:18.654{8B6011A9-C0D6-6155-DE39-02000000F001}9908C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015035332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.654{8B6011A9-C0D6-6155-DE39-02000000F001}9908C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000015035281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.286{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000015035279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.284{8B6011A9-C0D5-6155-DD39-02000000F001}3380880C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C0D6-6155-DE39-02000000F001}9908C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015035278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.285{8B6011A9-C0D6-6155-DE39-02000000F001}9908C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015035277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.280{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000015035276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:18.278{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000015035275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:18.268{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015035274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:18.268{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015035273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.268{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000015035272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.254{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000015035240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.235{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000015035239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.228{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000015035238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.225{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000015035237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.224{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000015035236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:18.223{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000015035235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:18.222{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000015035234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.222{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000015035233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:18.219{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 354300x800000000000000015035354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:34.057{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local52079-false172.67.68.88-443https 354300x800000000000000015035351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:33.381{8B6011A9-C0D4-6155-DB39-02000000F001}6616C:\Windows\System32\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local52078-false172.67.68.88-443https 22542200x800000000000000015035348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:35.129{8B6011A9-C0D5-6155-DD39-02000000F001}3380paste.ee0::ffff:172.67.68.88;::ffff:104.26.4.223;::ffff:104.26.5.223;C:\Windows\SysWOW64\wscript.exe 22542200x800000000000000015035347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:34.453{8B6011A9-C0D4-6155-DB39-02000000F001}6616paste.ee0::ffff:172.67.68.88;::ffff:104.26.4.223;::ffff:104.26.5.223;C:\Windows\System32\wscript.exe 534500x800000000000000015035465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.694{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exe 734700x800000000000000015035463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.689{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015035462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.689{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 13241300x800000000000000015035459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:20.688{8B6011A9-C0D8-6155-E039-02000000F001}7960C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015035457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.688{8B6011A9-C0D8-6155-E039-02000000F001}7960C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000015035450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.678{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015035420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.668{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015035419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.667{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015035417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.667{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015035416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.666{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015035415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.666{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015035414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.666{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015035413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.666{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015035412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.664{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015035411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.662{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015035410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.662{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015035409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.662{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015035408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.661{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015035406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.661{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015035404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.661{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015035403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.661{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015035401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.660{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015035399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.660{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015035397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.660{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015035393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.659{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015035391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.658{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015035390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.658{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015035388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.658{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015035386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.658{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015035384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.657{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015035383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.657{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015035381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.656{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000015035380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.656{8B6011A9-C0D5-6155-DD39-02000000F001}33804384C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C0D8-6155-E039-02000000F001}7960C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015035379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.656{8B6011A9-C0D8-6155-E039-02000000F001}7960C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015035378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.656{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015035377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.656{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015035376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.655{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015035375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.654{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015035374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.654{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015035373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.653{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000015035372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:20.653{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015035371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:20.653{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015035370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.653{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015035369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.653{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015035368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.653{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015035367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.652{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015035366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.652{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015035365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.652{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015035364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.651{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015035363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.651{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015035362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.651{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015035361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.648{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015035360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.648{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005970169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000086A4CD0) 154100x800000000000000015035359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:20.647{8B6011A9-C0D8-6155-DF39-02000000F001}704C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 13241300x800000000000000015035597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:51:22.713{8B6011A9-C0DA-6155-E239-02000000F001}6836C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015035595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.712{8B6011A9-C0DA-6155-E239-02000000F001}6836C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000015035576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.699{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exe 734700x800000000000000015035560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.695{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015035557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.694{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015035556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.694{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015035555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.694{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015035554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.694{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015035553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.694{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015035552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.694{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015035551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.693{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015035550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.693{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015035548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.693{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015035547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.692{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015035546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.692{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015035545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.692{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015035543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.691{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015035541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.691{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015035540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.691{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015035538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.691{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015035536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.690{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015035533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.690{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015035531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.690{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015035528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.689{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015035527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.689{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015035524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.688{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015035522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.688{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015035521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.688{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015035520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.687{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015035518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.687{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 10341000x800000000000000015035517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.687{8B6011A9-C0D5-6155-DD39-02000000F001}33804916C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C0DA-6155-E239-02000000F001}6836C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015035516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.687{8B6011A9-C0DA-6155-E239-02000000F001}6836C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015035515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.687{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015035514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.686{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015035513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.686{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015035512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.686{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015035511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.685{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015035510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.685{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 12241200x800000000000000015035509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:22.684{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000015035508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.684{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000015035507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:51:22.684{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015035506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.684{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015035505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.683{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015035504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.683{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015035503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.683{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015035502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.682{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015035501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.682{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015035500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.682{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015035499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.681{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015035498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.681{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015035497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.679{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015035496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.678{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005BA0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000086A4DF0) 154100x800000000000000015035495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:22.678{8B6011A9-C0DA-6155-E139-02000000F001}5464C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 534500x800000000000000015035703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.776{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000015035702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.763{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015035701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.763{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015035700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.763{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015035699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.763{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000015035698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.762{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015035697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.762{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015035696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.762{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000015035695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.762{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015035694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.762{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015035693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.762{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015035692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.762{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000015035691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.762{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000015035690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.761{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015035689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.761{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015035688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.761{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000015035687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.761{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000015035686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.760{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000015035685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-30 13:51:24.759{8B6011A9-C0D5-6155-DD39-02000000F001}3380\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000015035684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.759{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000015035683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.752{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000015035682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.748{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015035681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.748{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015035680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.748{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015035679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.748{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000015035678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.748{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015035677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.748{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015035676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.747{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000015035675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.747{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000015035674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.747{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015035673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.747{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015035672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.747{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000015035671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.747{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000015035670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.746{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000015035669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.745{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000015035668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.744{8B6011A9-C0D5-6155-DD39-02000000F001}3380ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000015035667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.742{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015035666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.742{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015035665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.742{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015035664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.742{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015035663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.742{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015035662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.742{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015035661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.742{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000015035660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.737{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000015035659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.735{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000015035658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.734{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000015035657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.732{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exe 734700x800000000000000015035656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.728{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015035655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.727{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015035654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.727{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015035653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.727{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015035652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.726{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015035651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.726{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015035650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.726{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015035649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.726{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015035648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.726{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015035647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.726{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015035646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.725{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015035645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.725{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015035644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.725{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015035643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.724{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015035642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.724{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015035641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.724{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015035640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.724{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015035639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.723{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015035638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.723{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015035637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.723{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015035636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.722{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015035635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.722{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015035634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.721{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015035633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.721{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015035632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.721{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015035631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.721{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015035630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.720{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015035629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.720{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015035628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.720{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015035627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.719{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015035626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.719{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015035625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.718{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015035624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.718{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015035623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.717{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015035622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.717{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015035621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.717{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015035620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.717{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015035619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.716{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015035618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.716{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015035617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.716{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015035616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.715{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015035615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.715{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015035614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.715{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015035613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.712{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015035612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.712{8B6011A9-C0D5-6155-DD39-02000000F001}33807800C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000006F90169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000086A4E38) 154100x800000000000000015035611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:51:24.711{8B6011A9-C0DC-6155-E339-02000000F001}7504C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C0D5-6155-DD39-02000000F001}3380C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015041301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.982{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000015041300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.982{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000015041299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.981{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000015041296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.866{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000015041295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.854{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015041294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.854{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015041293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.854{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015041292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.854{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015041291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.854{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015041290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.854{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015041289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.853{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000015041288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.852{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015041287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.852{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015041286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.852{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015041285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.852{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015041284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.852{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015041283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.852{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015041282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.852{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015041281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.852{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015041280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.852{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015041279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.852{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015041278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.852{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015041277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.852{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015041276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.852{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015041275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.851{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000015041274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.851{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000015041273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.850{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000015041272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.850{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000015041271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.838{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015041270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.838{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000015041269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.827{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000015041268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.818{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000015041267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.817{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.817{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.817{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.817{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.817{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.817{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.817{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.815{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015041259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.815{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000015041258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.813{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015041257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.813{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015041256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.813{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015041254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.811{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 734700x800000000000000015041253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.811{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 12241200x800000000000000015041252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.811{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015041251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.811{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015041250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.811{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015041249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.811{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015041248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.811{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015041247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.811{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015041246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.811{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000015041245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.810{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 13241300x800000000000000015041244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.808{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015041243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.808{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000015041242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.808{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015041241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:39.808{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015041240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.808{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000015041239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.807{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015041238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.807{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000015041237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.806{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000015041236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.806{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000015041235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.805{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000015041234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.803{8B6011A9-51EB-6143-0B00-00000000F001}6328916C:\Windows\system32\lsass.exe{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015041233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.803{8B6011A9-51EB-6143-0B00-00000000F001}6328916C:\Windows\system32\lsass.exe{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015041232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.803{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000015041231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.800{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000015041230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.799{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000015041229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.767{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000015041228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.767{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000015041227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.767{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000015041226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.767{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000015041225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.765{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000015041224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.764{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000015041223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.762{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000015041222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.762{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000015041221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.762{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000015041220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.762{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000015041219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.761{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000015041218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.761{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000015041217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.761{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000015041216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.760{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000015041215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.760{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000015041214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.759{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000015041213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.759{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015041212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.758{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000015041211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.758{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000015041210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.758{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000015041209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.757{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000015041208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.756{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000015041207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.756{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000015041206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.755{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000015041205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.755{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000015041204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.754{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000015041203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.754{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000015041202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.753{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000015041201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.753{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000015041200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.751{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000015041199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.751{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000015041198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.750{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015041197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:39.750{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000015041196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.750{8B6011A9-51ED-6143-0C00-00000000F001}8524040C:\Windows\system32\svchost.exe{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015041195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.749{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015041194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.749{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015041193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.748{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000015041192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.748{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000015041191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.746{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000015041190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.745{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000015041189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.745{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000015041188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.744{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000015041187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.744{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000015041186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.744{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000015041185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.743{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000015041184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.743{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000015041183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.743{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000015041182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.743{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000015041181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.743{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000015041180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.742{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015041179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.742{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000015041178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.742{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000015041177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.741{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000015041176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.741{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000015041175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.740{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000015041174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.740{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015041173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.739{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015041172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.739{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000015041171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.738{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015041170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.738{8B6011A9-B0F1-6155-7237-02000000F001}12527316C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015041169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:39.738{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000015041653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.923{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000015041649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.920{8B6011A9-C290-6155-1C3A-02000000F001}5916C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015041647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.920{8B6011A9-C290-6155-1C3A-02000000F001}5916C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000015041598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.896{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000015041596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.895{8B6011A9-C290-6155-1B3A-02000000F001}102247184C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C290-6155-1C3A-02000000F001}5916C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015041595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.895{8B6011A9-C290-6155-1C3A-02000000F001}5916C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015041594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.891{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000015041593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.890{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000015041592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.881{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015041591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.880{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015041590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.880{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000015041589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.878{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000015041557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.862{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000015041556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.860{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000015041555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.859{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000015041554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.858{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000015041553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.857{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000015041552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.857{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000015041551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.857{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000015041550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.856{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 734700x800000000000000015041545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.576{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015041544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.576{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000015041543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.575{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000015041539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.458{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000015041536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.446{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015041535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.445{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015041534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.445{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015041533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.445{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015041532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.444{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000015041531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.444{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015041530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.443{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015041529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.443{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015041528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.443{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015041527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.443{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015041526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.443{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015041525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.443{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015041524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.443{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015041523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.443{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015041522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.443{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015041521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.443{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015041520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.443{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015041519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.443{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015041518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.442{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000015041517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.441{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000015041516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.441{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000015041515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.441{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000015041514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.428{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015041513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.427{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000015041512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.416{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000015041511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.416{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000015041510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.416{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.416{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.416{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.416{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.415{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.415{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.415{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015041503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.413{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015041502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.413{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000015041501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.411{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015041500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.411{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015041499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.410{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000015041495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.409{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 13241300x800000000000000015041494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.408{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015041493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.408{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015041492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.408{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015041491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.408{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015041490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.408{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015041489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.408{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015041488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.408{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015041487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.408{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000015041486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.407{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 13241300x800000000000000015041485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.406{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015041484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.406{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000015041483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.405{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015041482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:40.405{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015041481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.405{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000015041480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.405{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015041479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.404{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000015041478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.399{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000015041477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.397{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000015041476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.396{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000015041475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.393{8B6011A9-51EB-6143-0B00-00000000F001}6328916C:\Windows\system32\lsass.exe{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015041474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.393{8B6011A9-51EB-6143-0B00-00000000F001}6328916C:\Windows\system32\lsass.exe{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015041473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.389{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000015041472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.388{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000015041471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.360{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015041470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.360{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015041469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.360{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015041468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.359{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015041467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.345{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000015041466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.344{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000015041465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.342{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015041464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.342{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015041463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.342{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015041462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.341{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015041461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.341{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015041460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.341{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015041459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.341{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015041458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.340{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000015041457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.339{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000015041456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.339{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000015041455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.338{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015041454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.337{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015041453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.337{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000015041452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.337{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000015041451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.335{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000015041450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.335{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000015041449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.335{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000015041448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.334{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000015041447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.333{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000015041446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.333{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000015041445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.332{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000015041444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.327{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015041443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.325{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000015041442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.324{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000015041441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.320{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015041440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.320{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000015041439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.319{8B6011A9-51ED-6143-0C00-00000000F001}8524040C:\Windows\system32\svchost.exe{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015041438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.318{8B6011A9-51ED-6143-1600-00000000F001}13246796C:\Windows\System32\svchost.exe{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015041437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.318{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015041436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.317{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015041435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.317{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015041434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.315{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015041433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.314{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000015041432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.313{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015041431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.313{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015041430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.312{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015041429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.312{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015041428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.312{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015041427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.311{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015041426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.311{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015041425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.311{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015041424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.311{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015041423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.310{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015041422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.310{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015041421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.310{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015041420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.309{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 534500x800000000000000015041419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.309{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exe 734700x800000000000000015041418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.309{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015041417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.309{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015041416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.309{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015041415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.307{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015041414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.307{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015041413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.306{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015041412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.306{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015041411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.306{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015041410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.306{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015041409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.305{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015041408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.305{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015041407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.305{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015041406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.304{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015041405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.304{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015041404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.304{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000015041403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.303{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015041402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.302{8B6011A9-C28F-6155-193A-02000000F001}51368852C:\Windows\System32\WScript.exe{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015041401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.303{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" 734700x800000000000000015041400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.299{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000015041399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.298{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000015041398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.293{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000015041313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.231{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000015041312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.229{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000015041311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.228{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000015041310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.227{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000015041309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.227{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000015041308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:40.227{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000015041307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.226{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000015041306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:40.226{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 354300x800000000000000015041667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:56.716{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local52318-false172.67.68.88-443https 354300x800000000000000015041666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:56.126{8B6011A9-C28F-6155-193A-02000000F001}5136C:\Windows\System32\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local52317-false172.67.68.88-443https 22542200x800000000000000015041665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:57.791{8B6011A9-C290-6155-1B3A-02000000F001}10224paste.ee0::ffff:172.67.68.88;::ffff:104.26.5.223;::ffff:104.26.4.223;C:\Windows\SysWOW64\wscript.exe 22542200x800000000000000015041664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:57.201{8B6011A9-C28F-6155-193A-02000000F001}5136paste.ee0::ffff:172.67.68.88;::ffff:104.26.5.223;::ffff:104.26.4.223;C:\Windows\System32\wscript.exe 13241300x800000000000000015041772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:42.955{8B6011A9-C292-6155-1E3A-02000000F001}9128C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015041770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.954{8B6011A9-C292-6155-1E3A-02000000F001}9128C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000015041753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.941{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exe 734700x800000000000000015041736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.937{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015041732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.937{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015041731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.937{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015041730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.936{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015041729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.936{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015041728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.936{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015041727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.936{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015041726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.936{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015041725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.936{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015041724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.935{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015041722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.935{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015041721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.935{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015041720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.934{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015041719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.934{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015041717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.934{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015041715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.933{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015041714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.933{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015041712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.933{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015041710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.933{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015041708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.932{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015041705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.932{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015041703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.931{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015041701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.931{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015041700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.931{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015041697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.930{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015041695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.930{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015041694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.930{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015041693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.929{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015041691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.929{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 10341000x800000000000000015041690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.929{8B6011A9-C290-6155-1B3A-02000000F001}102242700C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C292-6155-1E3A-02000000F001}9128C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015041689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.930{8B6011A9-C292-6155-1E3A-02000000F001}9128C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015041688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.929{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015041687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.928{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015041686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.927{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015041685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.927{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015041684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.926{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000015041683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:42.926{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000015041682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.926{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000015041681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:42.926{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015041680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.926{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015041679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.926{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015041678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.925{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015041677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.925{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015041676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.925{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015041675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.924{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015041674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.924{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015041673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.924{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015041672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.921{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015041671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.921{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005CD0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000008803FD0) 154100x800000000000000015041670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:42.921{8B6011A9-C292-6155-1D3A-02000000F001}5104C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 13241300x800000000000000015041889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 13:58:44.986{8B6011A9-C294-6155-203A-02000000F001}8552C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015041887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.985{8B6011A9-C294-6155-203A-02000000F001}8552C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000015041869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.972{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exe 734700x800000000000000015041852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.968{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015041849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.967{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015041848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.967{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015041847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.967{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015041846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.967{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015041845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.967{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015041844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.967{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015041843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.966{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015041842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.966{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015041841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.966{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015041839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.966{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015041838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.965{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015041837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.965{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015041836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.965{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015041834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.964{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015041832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.964{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015041831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.964{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015041829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.964{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015041827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.963{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015041825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.963{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015041823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.963{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015041820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.961{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015041818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.961{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015041817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.961{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015041816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.960{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015041813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.960{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015041811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.960{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015041810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.959{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015041809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.959{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015041807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.959{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 10341000x800000000000000015041806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.959{8B6011A9-C290-6155-1B3A-02000000F001}102243524C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C294-6155-203A-02000000F001}8552C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015041805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.959{8B6011A9-C294-6155-203A-02000000F001}8552C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015041804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.958{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015041803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.958{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015041802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.957{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015041801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.957{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015041800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.956{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015041799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.956{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000015041798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:44.956{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015041797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 13:58:44.956{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015041796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.956{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015041795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.955{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015041794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.955{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015041793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.955{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015041792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.954{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015041791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.954{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015041790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.954{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015041789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.953{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015041788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.951{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015041787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.950{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005EB0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000008803F10) 154100x800000000000000015041786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:44.951{8B6011A9-C294-6155-1F3A-02000000F001}9888C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015041914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:46.993{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 10341000x800000000000000015041909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:46.987{8B6011A9-C296-6155-213A-02000000F001}31406840C:\Windows\winhlp32.exe{8B6011A9-C296-6155-223A-02000000F001}6632C:\Windows\winhlp32.exe0x1fffffUNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000) 734700x800000000000000015041908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:46.978{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015041907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:46.978{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015041906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:46.978{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015041905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:46.976{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015041904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:46.975{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000007630169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000008803FB8) 154100x800000000000000015041903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:46.976{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 10341000x800000000000000015042281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.094{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+ca9c|C:\Windows\system32\winsrv.DLL+e3bc|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015042280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.094{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+e279|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015042278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.091{8B6011A9-C297-6155-243A-02000000F001}87366272C:\Windows\SysWOW64\WerFault.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015042277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.091{8B6011A9-C297-6155-243A-02000000F001}87366272C:\Windows\SysWOW64\WerFault.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015042276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.091{8B6011A9-C297-6155-243A-02000000F001}87366272C:\Windows\SysWOW64\WerFault.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015042273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.091{8B6011A9-C297-6155-243A-02000000F001}87366272C:\Windows\SysWOW64\WerFault.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015042272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.090{8B6011A9-C297-6155-243A-02000000F001}87366272C:\Windows\SysWOW64\WerFault.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015042271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.090{8B6011A9-C297-6155-243A-02000000F001}87366272C:\Windows\SysWOW64\WerFault.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015042243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.089{8B6011A9-C297-6155-243A-02000000F001}87366272C:\Windows\SysWOW64\WerFault.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015042242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.089{8B6011A9-C297-6155-243A-02000000F001}87366272C:\Windows\SysWOW64\WerFault.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000015042128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.042{8B6011A9-C297-6155-243A-02000000F001}8736C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 32C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 534500x800000000000000015042102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.041{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000015042096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.037{8B6011A9-C296-6155-233A-02000000F001}54365676C:\Windows\System32\svchost.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015042095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.037{8B6011A9-C296-6155-233A-02000000F001}54365676C:\Windows\System32\svchost.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015042094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.037{8B6011A9-C296-6155-233A-02000000F001}54365676C:\Windows\System32\svchost.exe{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015042063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.031{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015042062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.031{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015042061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.031{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015042060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.031{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000015042058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.030{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015042056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.030{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015042055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.030{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000015042054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.030{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015042052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.030{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015042051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.030{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015042050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.030{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000015042048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.030{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000015042047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.029{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015042046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.029{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015042045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.029{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000015042044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.029{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000015042043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.028{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000015042041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-30 13:58:47.027{8B6011A9-C290-6155-1B3A-02000000F001}10224\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000015042040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.027{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000015042020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.026{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000015042013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.022{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015042012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.022{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015042011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.022{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015042010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.022{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000015041987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.021{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015041984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.021{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015041983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.020{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000015041982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.020{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000015041981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.020{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015041980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.020{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015041978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.020{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000015041977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.020{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000015041974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.019{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000015041973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.019{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000015041972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.018{8B6011A9-C290-6155-1B3A-02000000F001}10224ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000015041966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.016{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015041965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.016{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015041964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.016{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015041963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.016{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015041962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.015{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015041961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.015{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015041960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.015{8B6011A9-C290-6155-1B3A-02000000F001}102246536C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000015041951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.012{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000015041949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 13:58:47.010{8B6011A9-C290-6155-1B3A-02000000F001}10224C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 534500x800000000000000015043734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 14:00:55.181{8B6011A9-C296-6155-213A-02000000F001}3140C:\Windows\winhlp32.exe 734700x800000000000000015107630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.998{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015107629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.996{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015107628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.996{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015107627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.995{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015107626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.995{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015107625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.995{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015107624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.995{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015107623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.994{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015107622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.994{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015107621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.994{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015107620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.993{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015107619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.993{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015107617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.985{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015107616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.984{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015107615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.984{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015107614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.983{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015107613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.983{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015107612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.983{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015107611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.983{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015107610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.982{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015107609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.982{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015107608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.982{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015107607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.981{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015107606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.981{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015107605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.981{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Temp\winhlp32.exe.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015107604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.980{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-D307-6155-463C-02000000F001}5284C:\temp\winhlp32.exe.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015107603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.979{8B6011A9-B0F1-6155-7237-02000000F001}12529616-{8B6011A9-D307-6155-463C-02000000F001}5284C:\temp\winhlp32.exe.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+3c91c|C:\Windows\System32\shell32.dll+e2087|C:\Windows\System32\shell32.dll+e1fe5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000) 154100x800000000000000015107602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.980{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\temp\winhlp32.exe.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 534500x800000000000000015107831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:56.053{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exe 734700x800000000000000015107814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:56.021{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 734700x800000000000000015107789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:56.011{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\HelpPaneProxy.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Help ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationhelppaneproxy.dllMD5=E2AEBCDD66035AAB459B129946BEC8B8,SHA256=155BADD79618A0E3F14C64D4CAFCC69107B933603CCDDAE4D16CBD1F847495F0trueMicrosoft WindowsValid 734700x800000000000000015107766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:56.009{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000015107731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:56.004{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015107705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.997{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 10341000x800000000000000015107685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:56.013{8B6011A9-51ED-6143-0C00-00000000F001}8529824C:\Windows\system32\svchost.exe{8B6011A9-D307-6155-463C-02000000F001}5284C:\temp\winhlp32.exe.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015107684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:56.011{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015107677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.996{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 10341000x800000000000000015107658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:56.005{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-D307-6155-463C-02000000F001}5284C:\temp\winhlp32.exe.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015107657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:56.004{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-D307-6155-463C-02000000F001}5284C:\temp\winhlp32.exe.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015107650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:55.993{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015107631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:08:56.000{8B6011A9-D307-6155-463C-02000000F001}5284C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 534500x800000000000000015112121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.416{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exe 734700x800000000000000015112102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.402{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 10341000x800000000000000015112101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.399{8B6011A9-51ED-6143-0C00-00000000F001}8524040C:\Windows\system32\svchost.exe{8B6011A9-D328-6155-583C-02000000F001}1964C:\temp\winhlp32.exe.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015112100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.397{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015112099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.397{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\HelpPaneProxy.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Help ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationhelppaneproxy.dllMD5=E2AEBCDD66035AAB459B129946BEC8B8,SHA256=155BADD79618A0E3F14C64D4CAFCC69107B933603CCDDAE4D16CBD1F847495F0trueMicrosoft WindowsValid 734700x800000000000000015112098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.396{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 10341000x800000000000000015112097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.395{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-D328-6155-583C-02000000F001}1964C:\temp\winhlp32.exe.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015112096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.395{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-D328-6155-583C-02000000F001}1964C:\temp\winhlp32.exe.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015112095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.395{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015112094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.394{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015112093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.392{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015112092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.391{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015112091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.387{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015112090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.382{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015112089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.382{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015112088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.381{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015112087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.381{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015112086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.381{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015112085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.380{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015112084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.380{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015112083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.380{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015112082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.380{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015112081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.379{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015112079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.379{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015112069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.379{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015112068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.374{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Temp\winhlp32.exe.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 734700x800000000000000015112055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.378{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015112053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.377{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015112052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.377{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015112051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.376{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015112050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.376{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015112048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.376{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015112047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.376{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015112046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.376{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015112045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.375{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015112044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.375{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015112042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.374{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015112040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.374{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000015112039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.373{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-D328-6155-583C-02000000F001}1964C:\temp\winhlp32.exe.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015112038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.373{8B6011A9-B0F1-6155-7237-02000000F001}12529616-{8B6011A9-D328-6155-583C-02000000F001}1964C:\temp\winhlp32.exe.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+3c91c|C:\Windows\System32\shell32.dll+e2087|C:\Windows\System32\shell32.dll+e1fe5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000) 154100x800000000000000015112037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:09:28.372{8B6011A9-D328-6155-583C-02000000F001}1964C:\Temp\winhlp32.exe.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\temp\winhlp32.exe.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000015114678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.627{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dciman32.dll10.0.14393.0 (rs1_release.160715-1616)DCI ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdciman32MD5=550BA2C78144D79BD4CE88F9BE77BE9F,SHA256=295446F96E53BEF65A1DECCDC457DD61F56252EC39FD3CAF5DDE8834FFBB8785trueMicrosoft WindowsValid 734700x800000000000000015114648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.626{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015114620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.625{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=A6D357B5D2E7F2465F6FA882AA821E28,SHA256=94E388860E6CF3C8A2B4DA25C23D8B54A88C49E6CB7664B8A164FFC2B9316E7AtrueMicrosoft WindowsValid 734700x800000000000000015114572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.620{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msi.dll5.0.14393.4530Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=8E3C6A8EC029C91825AF395AC25D42AF,SHA256=7C2F9B37E01F41DF2B9958F7F647EF7F1AD6BC45839644D30F20FFA4BE4060EDtrueMicrosoft WindowsValid 534500x800000000000000015114541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.656{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exe 734700x800000000000000015114523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.641{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 10341000x800000000000000015114522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.638{8B6011A9-51ED-6143-0C00-00000000F001}8524040C:\Windows\system32\svchost.exe{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\temp\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015114521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.637{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\HelpPaneProxy.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Help ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationhelppaneproxy.dllMD5=E2AEBCDD66035AAB459B129946BEC8B8,SHA256=155BADD79618A0E3F14C64D4CAFCC69107B933603CCDDAE4D16CBD1F847495F0trueMicrosoft WindowsValid 734700x800000000000000015114520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.635{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 10341000x800000000000000015114519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.632{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\temp\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015114518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.632{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\temp\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015114517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.632{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015114516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.627{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015114496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.590{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ddraw.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)Microsoft DirectDrawMicrosoft® Windows® Operating SystemMicrosoft CorporationDDraw.dllMD5=6EEDA6E373766904488926822E777536,SHA256=7AC8AECB6E830534DFDF7F7AFA8A8CA8A8E1A4DE753B6A315233B28A0E6D90D4trueMicrosoft WindowsValid 734700x800000000000000015114464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.585{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015114447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.592{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015114435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.591{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015114434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.583{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=B65F2AFD9AA2BE2DBE0E1CE72FF7F75C,SHA256=3B44113F845FD512530AADAA6CC437028E635742D92E28AF57B9F32BA958B697trueMicrosoft WindowsValid 734700x800000000000000015114421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.591{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValid 734700x800000000000000015114404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.570{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\AppPatch\AcSpecfc.dll10.0.14393.3115 (rs1_release_1.190708-1703)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=DFF7532E4CD772161528925D77EBAC54,SHA256=68B1FF190FD9601E1F441A0AA6D727618BE1A59099278B52178F4BB450E9D257trueMicrosoft WindowsValid 734700x800000000000000015114393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.578{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_e8ebe5c0ed79850d\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=DB9EEA6E4C32315294D22E0C86077356,SHA256=7A60A27BB6178CDF126AFB37DE5AD77F687C33B4326624962CEE26F7361ADC6AtrueMicrosoft WindowsValid 734700x800000000000000015114392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.578{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015114390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.577{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015114389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.577{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015114388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.577{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015114387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.577{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValid 734700x800000000000000015114386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.576{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015114385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.576{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015114384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.576{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015114383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.576{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015114382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.575{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015114381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.575{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015114380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.575{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015114379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.574{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015114378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.574{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015114377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.574{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015114376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.573{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015114375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.573{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015114374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.573{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015114373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.573{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015114372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.573{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015114371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.572{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015114370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.572{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015114369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.572{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015114368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.571{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015114367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.571{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015114365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.571{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015114364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.571{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015114362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.565{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000015114361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.564{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015114360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.564{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015114359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.563{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015114358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.563{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015114357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.563{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015114356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.563{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015114355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.562{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015114354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.562{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015114353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.562{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015114352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.561{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015114351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.561{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015114350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.561{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exeC:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015114349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.560{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015114348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.559{8B6011A9-B0F1-6155-7237-02000000F001}12529616-{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+3c91c|C:\Windows\System32\shell32.dll+e2087|C:\Windows\System32\shell32.dll+e1fe5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000) 154100x800000000000000015114347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:10:29.560{8B6011A9-D365-6155-6E3C-02000000F001}8640C:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\temp\winhlp32.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 534500x800000000000000015140110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.487{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exe 734700x800000000000000015140090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.469{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 10341000x800000000000000015140089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.466{8B6011A9-51ED-6143-0C00-00000000F001}8529824C:\Windows\system32\svchost.exe{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\temp\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015140088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.465{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\HelpPaneProxy.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Help ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationhelppaneproxy.dllMD5=E2AEBCDD66035AAB459B129946BEC8B8,SHA256=155BADD79618A0E3F14C64D4CAFCC69107B933603CCDDAE4D16CBD1F847495F0trueMicrosoft WindowsValid 734700x800000000000000015140087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.464{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 10341000x800000000000000015140086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.461{8B6011A9-51ED-6143-1600-00000000F001}13248620C:\Windows\System32\svchost.exe{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\temp\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015140085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.461{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\temp\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015140084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.460{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015140083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.456{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015140082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.455{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dciman32.dll10.0.14393.0 (rs1_release.160715-1616)DCI ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdciman32MD5=550BA2C78144D79BD4CE88F9BE77BE9F,SHA256=295446F96E53BEF65A1DECCDC457DD61F56252EC39FD3CAF5DDE8834FFBB8785trueMicrosoft WindowsValid 734700x800000000000000015140081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.455{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015140080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.455{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=A6D357B5D2E7F2465F6FA882AA821E28,SHA256=94E388860E6CF3C8A2B4DA25C23D8B54A88C49E6CB7664B8A164FFC2B9316E7AtrueMicrosoft WindowsValid 734700x800000000000000015140079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.454{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msi.dll5.0.14393.4530Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=8E3C6A8EC029C91825AF395AC25D42AF,SHA256=7C2F9B37E01F41DF2B9958F7F647EF7F1AD6BC45839644D30F20FFA4BE4060EDtrueMicrosoft WindowsValid 734700x800000000000000015140078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.453{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015140077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.453{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015140076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.453{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValid 734700x800000000000000015140075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.452{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ddraw.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)Microsoft DirectDrawMicrosoft® Windows® Operating SystemMicrosoft CorporationDDraw.dllMD5=6EEDA6E373766904488926822E777536,SHA256=7AC8AECB6E830534DFDF7F7AFA8A8CA8A8E1A4DE753B6A315233B28A0E6D90D4trueMicrosoft WindowsValid 734700x800000000000000015140074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.452{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015140073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.450{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=B65F2AFD9AA2BE2DBE0E1CE72FF7F75C,SHA256=3B44113F845FD512530AADAA6CC437028E635742D92E28AF57B9F32BA958B697trueMicrosoft WindowsValid 734700x800000000000000015140072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.450{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_e8ebe5c0ed79850d\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=DB9EEA6E4C32315294D22E0C86077356,SHA256=7A60A27BB6178CDF126AFB37DE5AD77F687C33B4326624962CEE26F7361ADC6AtrueMicrosoft WindowsValid 734700x800000000000000015140071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.449{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015140070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.449{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015140069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.449{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015140068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.449{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015140067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.448{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValid 734700x800000000000000015140066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.448{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015140065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.448{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015140064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.448{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015140063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.447{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015140062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.447{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015140061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.447{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015140060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.447{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015140059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.446{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015140058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.446{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015140057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.446{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015140056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.445{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015140055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.445{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015140054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.445{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015140053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.445{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015140052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.445{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015140051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.444{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015140050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.444{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015140049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.444{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015140048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.444{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015140047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.443{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015140046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.443{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015140045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.443{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015140044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.443{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\AppPatch\AcSpecfc.dll10.0.14393.3115 (rs1_release_1.190708-1703)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=DFF7532E4CD772161528925D77EBAC54,SHA256=68B1FF190FD9601E1F441A0AA6D727618BE1A59099278B52178F4BB450E9D257trueMicrosoft WindowsValid 734700x800000000000000015140043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.441{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000015140042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.440{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015140041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.440{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015140040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.439{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015140039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.439{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015140038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.439{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015140037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.438{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015140036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.438{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015140035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.438{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015140034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.437{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015140033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.437{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015140032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.437{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015140031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.437{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exeC:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015140030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.435{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015140029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.435{8B6011A9-B0F1-6155-7237-02000000F001}12529616-{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+3c91c|C:\Windows\System32\shell32.dll+e2087|C:\Windows\System32\shell32.dll+e1fe5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000) 154100x800000000000000015140028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 15:46:09.435{8B6011A9-DBC1-6155-753D-02000000F001}1076C:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\temp\winhlp32.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000015161110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:44.988{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000015161109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:44.988{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000015161108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:44.985{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000015161107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:44.984{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000015161106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:44.979{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000015161105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:44.978{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015161104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:44.972{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015161098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:44.958{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000015161075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:44.957{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015161074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:44.957{8B6011A9-B0F1-6155-7237-02000000F001}12527072C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015161073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:44.955{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000015162505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.983{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000015162481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.979{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 12241200x800000000000000015162461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.982{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015162460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.982{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015162459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.982{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015162458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.982{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015162457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.982{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015162456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.982{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015162455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.982{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000015162447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.951{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 12241200x800000000000000015162429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.980{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 13241300x800000000000000015162427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.974{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015162426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.973{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015162425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.973{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015162423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.972{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015162422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.971{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015162421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.971{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015162420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.971{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015162419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.971{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015162418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.971{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015162417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.971{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015162416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.971{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015162415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.971{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000015162414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.970{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 13241300x800000000000000015162413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.970{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015162412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.970{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000015162411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.970{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000015162410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.969{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015162409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.969{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000015162408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.969{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015162407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.968{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000015162406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.968{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000015162405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.967{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000015162404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.966{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000015162403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.964{8B6011A9-51EB-6143-0B00-00000000F001}6325032C:\Windows\system32\lsass.exe{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015162402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.964{8B6011A9-51EB-6143-0B00-00000000F001}6325032C:\Windows\system32\lsass.exe{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015162398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.959{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000015162382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.938{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000015162372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.958{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000015162371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.955{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015162368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.955{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015162367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.955{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015162366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.954{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015162355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.931{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000015162326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.928{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000015162301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.925{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 734700x800000000000000015162266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.923{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000015162257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.933{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015162256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.933{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015162255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.933{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015162254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.933{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015162253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.932{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015162252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.932{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015162251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.932{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015162244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.918{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000015162214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.917{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 12241200x800000000000000015162198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.923{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015162196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.923{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015162195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.921{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000015162194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.919{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000015162193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.919{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000015162192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.919{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000015162191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.919{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000015162188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.912{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000015162187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.911{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015162186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.910{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000015162185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.910{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000015162184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.909{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015162183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.909{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000015162182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.908{8B6011A9-51ED-6143-0C00-00000000F001}8529824C:\Windows\system32\svchost.exe{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015162181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.907{8B6011A9-51ED-6143-1600-00000000F001}13248620C:\Windows\System32\svchost.exe{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015162180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.907{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015162179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.907{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015162178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.906{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015162177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.904{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015162176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.903{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000015162161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.902{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015162151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.902{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015162150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.902{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015162149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.892{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 734700x800000000000000015162148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.901{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015162147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.901{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015162146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.901{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015162145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.900{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015162144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.900{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015162142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.900{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015162141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.899{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015162140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.899{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015162139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.899{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015162138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.899{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015162137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.898{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 534500x800000000000000015162136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.898{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exe 734700x800000000000000015162135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.898{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015162134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.898{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015162131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.896{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015162130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.896{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015162105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.895{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015162104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.895{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015162103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.894{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015162102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.894{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015162101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.894{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015162100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.893{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015162098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.893{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015162097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.892{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015162096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.892{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000015162071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.891{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015162070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.891{8B6011A9-E238-6155-3B3E-02000000F001}59168112C:\Windows\System32\WScript.exe{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015162069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.890{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" 734700x800000000000000015162041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.885{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000015162040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.885{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000015162014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.879{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000015161781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.713{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000015161750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.703{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000015161725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.700{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000015161688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.698{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x800000000000000015161661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.697{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000015161635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.693{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 12241200x800000000000000015161616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.697{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000015161615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.697{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000015161603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.445{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000015161576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.443{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000015161554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.442{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000015161523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.322{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 734700x800000000000000015161498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.305{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 734700x800000000000000015161472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.301{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 13241300x800000000000000015161454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.307{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015161453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.307{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015161452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.307{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015161447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.307{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015161445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.299{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 13241300x800000000000000015161442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.307{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015161438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.307{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x800000000000000015161424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.304{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015161423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.304{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015161422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.303{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015161421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.303{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015161420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.303{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015161419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.303{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015161418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.303{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015161417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.303{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015161416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.303{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015161415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.303{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015161414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.303{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015161412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.303{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015161411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.303{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015161410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.303{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000015161404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.298{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 734700x800000000000000015161377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.279{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 12241200x800000000000000015161354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.279{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015161352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.263{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000015161347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.052{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000015161327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.073{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000015161326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.073{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015161325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.073{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015161324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.073{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015161323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.073{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015161322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.073{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015161321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.073{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015161320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.073{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015161318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.071{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015161317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.070{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000015161316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.068{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015161315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.068{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015161314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.068{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015161312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.066{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015161311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.066{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015161310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.066{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015161309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.066{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015161308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.066{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015161307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.066{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015161306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.066{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015161305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.066{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000015161304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.065{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000015161303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.065{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015161302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.065{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000015161301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.065{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015161300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:45.065{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015161299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.064{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015161298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.064{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000015161297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.064{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015161296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.064{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000015161295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.063{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000015161294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.063{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000015161293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.062{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000015161292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.060{8B6011A9-51EB-6143-0B00-00000000F001}6324784C:\Windows\system32\lsass.exe{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015161291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.060{8B6011A9-51EB-6143-0B00-00000000F001}6324784C:\Windows\system32\lsass.exe{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015161290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.060{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000015161289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.056{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000015161288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.056{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000015161287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.055{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000015161286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.055{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000015161285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.055{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000015161284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.054{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000015161275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.037{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000015161246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.026{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000015161222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.021{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000015161199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.019{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000015161179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.033{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000015161178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.033{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000015161177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.032{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000015161176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.032{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000015161175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.032{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000015161174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.031{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000015161172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.031{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000015161170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.031{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000015161156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.030{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000015161155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.018{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000015161144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.030{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000015161143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.029{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015161142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.028{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000015161140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.028{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000015161139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.028{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000015161138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.027{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000015161137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.021{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000015161136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.021{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000015161133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.013{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000015161132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.012{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000015161131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.011{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000015161130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.010{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000015161129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.010{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015161128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.010{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000015161127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.009{8B6011A9-51ED-6143-0C00-00000000F001}8529824C:\Windows\system32\svchost.exe{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015161126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.008{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015161125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.008{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015161124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.008{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000015161123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.007{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000015161122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.005{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000015161121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.004{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000015161120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.003{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000015161119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.003{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000015161118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.003{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000015161117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.003{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000015161116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.002{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000015161115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.002{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000015161114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.002{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000015161113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.002{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000015161112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.000{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000015161111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.000{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015163265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.577{8B6011A9-E23A-6155-3E3E-02000000F001}8200C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000015163264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.581{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000015163207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:46.578{8B6011A9-E23A-6155-3E3E-02000000F001}8200C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015163049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.527{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 734700x800000000000000015163031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.536{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000015163021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.515{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 10341000x800000000000000015163003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.531{8B6011A9-E239-6155-3D3E-02000000F001}90921160C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E23A-6155-3E3E-02000000F001}8200C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015163002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.531{8B6011A9-E23A-6155-3E3E-02000000F001}8200C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 12241200x800000000000000015163000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.525{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000015162999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.515{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015162998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.515{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015162988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.480{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000015162970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.501{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000015162952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.473{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000015162909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.470{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000015162879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.469{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 734700x800000000000000015162848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.467{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000015162824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.464{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 12241200x800000000000000015162803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.468{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000015162802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.467{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000015162787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.161{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000015162761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.159{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000015162743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.161{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015162733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.038{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 734700x800000000000000015162709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.021{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 734700x800000000000000015162681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.017{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000015162655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.016{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 13241300x800000000000000015162636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:46.023{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015162635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:46.023{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015162634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:46.022{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015162630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.014{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 13241300x800000000000000015162629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:46.022{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x800000000000000015162608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.019{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015162607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.018{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015162606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.018{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015162605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.018{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015162604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.018{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015162603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.018{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015162602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.018{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015162601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.018{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015162599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.018{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015162598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.018{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015162597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.018{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015162596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.018{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015162595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:46.018{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015162588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:46.013{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 734700x800000000000000015162562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.999{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 12241200x800000000000000015162541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:45.999{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015162533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:45.985{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 354300x800000000000000015163364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:02.406{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54032-false104.26.4.223-443https 354300x800000000000000015163363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:01.684{8B6011A9-E238-6155-3B3E-02000000F001}5916C:\Windows\System32\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54031-false104.26.4.223-443https 22542200x800000000000000015163277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:03.478{8B6011A9-E239-6155-3D3E-02000000F001}9092paste.ee0::ffff:104.26.4.223;::ffff:172.67.68.88;::ffff:104.26.5.223;C:\Windows\SysWOW64\wscript.exe 22542200x800000000000000015163276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:02.758{8B6011A9-E238-6155-3B3E-02000000F001}5916paste.ee0::ffff:104.26.4.223;::ffff:172.67.68.88;::ffff:104.26.5.223;C:\Windows\System32\wscript.exe 734700x800000000000000015163498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.599{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 13241300x800000000000000015163476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:48.610{8B6011A9-E23C-6155-403E-02000000F001}9412C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015163474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.609{8B6011A9-E23C-6155-403E-02000000F001}9412C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000015163473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.609{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exe 734700x800000000000000015163468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.604{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015163466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.604{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015163433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.587{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015163432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.586{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015163430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.585{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015163429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.585{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015163428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.580{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015163427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.580{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015163426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.580{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015163425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.580{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015163424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.579{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015163423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.579{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015163422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.579{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015163421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.578{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015163419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.578{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015163417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.578{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015163416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.577{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015163415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.577{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015163412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.577{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015163410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.576{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015163407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.576{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015163405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.576{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015163403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.575{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015163402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.575{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015163399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.575{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015163397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.574{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015163396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.574{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015163395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.574{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015163393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.573{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 10341000x800000000000000015163392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.573{8B6011A9-E239-6155-3D3E-02000000F001}90927208C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E23C-6155-403E-02000000F001}9412C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015163391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.574{8B6011A9-E23C-6155-403E-02000000F001}9412C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015163390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.573{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015163389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.573{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015163388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.572{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015163387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.571{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015163386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.571{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015163385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.570{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000015163384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:48.570{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015163383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:48.570{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015163382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.570{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015163381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.570{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015163380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.570{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015163379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.569{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015163378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.569{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015163377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.568{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015163376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.568{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015163375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.568{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015163374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.565{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015163373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.565{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005100169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000680700) 154100x800000000000000015163372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:48.565{8B6011A9-E23C-6155-3F3E-02000000F001}8716C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 13241300x800000000000000015163617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:13:50.636{8B6011A9-E23E-6155-423E-02000000F001}4948C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 534500x800000000000000015163615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.635{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exe 734700x800000000000000015163614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.635{8B6011A9-E23E-6155-423E-02000000F001}4948C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000015163609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.632{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015163608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.631{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015163607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.630{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015163606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.630{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015163605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.630{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015163573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.616{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015163572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.616{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015163571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.616{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015163570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.616{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015163568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.616{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015163567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.615{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015163566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.615{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015163565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.615{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015163563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.614{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015163561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.614{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015163560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.614{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015163558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.613{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015163556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.613{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015163554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.613{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015163552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.612{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015163549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.612{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015163547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.611{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015163546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.611{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015163543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.611{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015163541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.610{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015163540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.610{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015163539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.610{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015163537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.609{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000015163536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.609{8B6011A9-E239-6155-3D3E-02000000F001}90929108C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E23E-6155-423E-02000000F001}4948C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015163535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.609{8B6011A9-E23E-6155-423E-02000000F001}4948C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015163534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.609{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015163533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.609{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015163532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.608{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015163531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.607{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015163530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.607{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015163529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.606{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000015163528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:50.606{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000015163527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.606{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000015163526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:13:50.606{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015163525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.606{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015163524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.605{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015163523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.605{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015163522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.605{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015163521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.605{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015163520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.604{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015163519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.604{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015163518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.603{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015163517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.601{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015163516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.601{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000053D0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000006805C8) 154100x800000000000000015163515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:50.601{8B6011A9-E23E-6155-413E-02000000F001}7840C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 534500x800000000000000015163852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.720{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exe 734700x800000000000000015163851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.698{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 734700x800000000000000015163822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.697{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 10341000x800000000000000015163799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.702{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015163798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.702{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015163797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.702{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015163796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.702{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000015163795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.701{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015163794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.701{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015163793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.701{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000015163792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.701{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015163791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.701{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015163790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.701{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015163789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.700{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000015163788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.700{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000015163787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.700{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015163786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.700{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015163785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.699{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000015163784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.699{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 18141800x800000000000000015163782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-30 16:13:52.697{8B6011A9-E239-6155-3D3E-02000000F001}9092\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000015163774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.690{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 734700x800000000000000015163752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.684{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 10341000x800000000000000015163729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.686{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015163728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.686{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015163727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.685{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015163726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.685{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000015163725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.685{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015163724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.685{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015163723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.685{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000015163722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.685{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000015163721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.685{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015163720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.685{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015163719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.685{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000015163718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.685{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 11241100x800000000000000015163716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.682{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000015163715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.682{8B6011A9-E239-6155-3D3E-02000000F001}9092ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000015163714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.679{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015163713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.679{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015163712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.679{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015163711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.679{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015163710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.679{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015163709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.679{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015163708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.679{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000015163707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.675{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000015163704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.673{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000015163698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.656{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000015163676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.646{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exe 734700x800000000000000015163675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.642{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015163674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.641{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015163673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.641{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015163672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.641{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015163671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.641{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015163670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.641{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015163669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.641{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015163668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.641{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015163667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.640{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015163666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.640{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015163665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.640{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015163664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.640{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015163663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.639{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015163662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.639{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015163661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.639{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015163660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.639{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015163659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.638{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015163658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.638{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015163657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.638{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015163656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.637{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015163655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.637{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015163654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.636{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015163653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.636{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015163652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.636{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015163651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.636{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015163650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.635{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015163649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.635{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015163648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.635{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015163647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.634{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015163646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.634{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015163645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.634{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015163644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.633{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015163643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.632{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015163642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.632{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015163641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.632{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015163640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.631{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015163639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.631{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015163638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.631{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015163637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.630{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015163636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.630{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015163635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.630{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015163634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.629{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015163633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.629{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015163632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.627{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015163631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.626{8B6011A9-E239-6155-3D3E-02000000F001}90929288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005550169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000680718) 154100x800000000000000015163630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:13:52.627{8B6011A9-E240-6155-433E-02000000F001}9700C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-E239-6155-3D3E-02000000F001}9092C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 534500x800000000000000015164853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.988{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exe 734700x800000000000000015164834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.960{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 10341000x800000000000000015164833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.953{8B6011A9-51ED-6143-0C00-00000000F001}8526532C:\Windows\system32\svchost.exe{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\temp\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015164832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.952{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\HelpPaneProxy.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Help ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationhelppaneproxy.dllMD5=E2AEBCDD66035AAB459B129946BEC8B8,SHA256=155BADD79618A0E3F14C64D4CAFCC69107B933603CCDDAE4D16CBD1F847495F0trueMicrosoft WindowsValid 734700x800000000000000015164830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.951{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 10341000x800000000000000015164828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.944{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\temp\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015164827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.944{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\temp\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015164826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.943{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015164825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.939{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015164824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.938{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dciman32.dll10.0.14393.0 (rs1_release.160715-1616)DCI ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdciman32MD5=550BA2C78144D79BD4CE88F9BE77BE9F,SHA256=295446F96E53BEF65A1DECCDC457DD61F56252EC39FD3CAF5DDE8834FFBB8785trueMicrosoft WindowsValid 734700x800000000000000015164823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.938{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015164822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.937{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=A6D357B5D2E7F2465F6FA882AA821E28,SHA256=94E388860E6CF3C8A2B4DA25C23D8B54A88C49E6CB7664B8A164FFC2B9316E7AtrueMicrosoft WindowsValid 734700x800000000000000015164821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.937{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msi.dll5.0.14393.4530Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=8E3C6A8EC029C91825AF395AC25D42AF,SHA256=7C2F9B37E01F41DF2B9958F7F647EF7F1AD6BC45839644D30F20FFA4BE4060EDtrueMicrosoft WindowsValid 734700x800000000000000015164820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.936{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015164819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.935{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015164818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.934{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValid 734700x800000000000000015164817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.934{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ddraw.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)Microsoft DirectDrawMicrosoft® Windows® Operating SystemMicrosoft CorporationDDraw.dllMD5=6EEDA6E373766904488926822E777536,SHA256=7AC8AECB6E830534DFDF7F7AFA8A8CA8A8E1A4DE753B6A315233B28A0E6D90D4trueMicrosoft WindowsValid 734700x800000000000000015164816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.934{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015164815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.932{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=B65F2AFD9AA2BE2DBE0E1CE72FF7F75C,SHA256=3B44113F845FD512530AADAA6CC437028E635742D92E28AF57B9F32BA958B697trueMicrosoft WindowsValid 734700x800000000000000015164814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.931{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_e8ebe5c0ed79850d\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=DB9EEA6E4C32315294D22E0C86077356,SHA256=7A60A27BB6178CDF126AFB37DE5AD77F687C33B4326624962CEE26F7361ADC6AtrueMicrosoft WindowsValid 734700x800000000000000015164813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.931{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015164812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.931{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015164811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.930{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015164810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.930{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015164809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.930{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValid 734700x800000000000000015164808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.930{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015164807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.929{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015164806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.929{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015164805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.929{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015164804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.928{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015164803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.928{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015164802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.928{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015164801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.927{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015164800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.927{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015164799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.927{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015164798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.926{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015164797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.926{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015164796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.926{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015164795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.926{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015164794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.925{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015164793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.925{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015164792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.925{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015164791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.924{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015164790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.924{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015164789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.924{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015164788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.924{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015164787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.924{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015164786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.923{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\AppPatch\AcSpecfc.dll10.0.14393.3115 (rs1_release_1.190708-1703)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=DFF7532E4CD772161528925D77EBAC54,SHA256=68B1FF190FD9601E1F441A0AA6D727618BE1A59099278B52178F4BB450E9D257trueMicrosoft WindowsValid 734700x800000000000000015164785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.922{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000015164784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.921{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015164783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.921{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015164782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.920{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015164781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.920{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015164780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.919{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015164779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.919{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015164778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.919{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015164777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.919{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015164776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.918{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015164775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.918{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015164774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.918{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015164773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.917{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exeC:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015164772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.916{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015164771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.916{8B6011A9-B0F1-6155-7237-02000000F001}12529616-{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+3c91c|C:\Windows\System32\shell32.dll+e2087|C:\Windows\System32\shell32.dll+e1fe5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000) 154100x800000000000000015164770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:14:04.916{8B6011A9-E24C-6155-4B3E-02000000F001}2040C:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\temp\winhlp32.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 534500x800000000000000015182074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.544{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exe 734700x800000000000000015182066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.521{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 734700x800000000000000015182027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.512{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\HelpPaneProxy.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Help ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationhelppaneproxy.dllMD5=E2AEBCDD66035AAB459B129946BEC8B8,SHA256=155BADD79618A0E3F14C64D4CAFCC69107B933603CCDDAE4D16CBD1F847495F0trueMicrosoft WindowsValid 734700x800000000000000015182000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.511{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 10341000x800000000000000015181983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.514{8B6011A9-51ED-6143-0C00-00000000F001}8524040C:\Windows\system32\svchost.exe{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\temp\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015181975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.503{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 10341000x800000000000000015181956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.504{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\temp\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015181955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.504{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\temp\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015181946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.495{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015181927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.493{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dciman32.dll10.0.14393.0 (rs1_release.160715-1616)DCI ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdciman32MD5=550BA2C78144D79BD4CE88F9BE77BE9F,SHA256=295446F96E53BEF65A1DECCDC457DD61F56252EC39FD3CAF5DDE8834FFBB8785trueMicrosoft WindowsValid 734700x800000000000000015181926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.492{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015181923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.490{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=A6D357B5D2E7F2465F6FA882AA821E28,SHA256=94E388860E6CF3C8A2B4DA25C23D8B54A88C49E6CB7664B8A164FFC2B9316E7AtrueMicrosoft WindowsValid 734700x800000000000000015181922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.486{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msi.dll5.0.14393.4530Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=8E3C6A8EC029C91825AF395AC25D42AF,SHA256=7C2F9B37E01F41DF2B9958F7F647EF7F1AD6BC45839644D30F20FFA4BE4060EDtrueMicrosoft WindowsValid 734700x800000000000000015181914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.458{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015181890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.444{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015181872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.457{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015181871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.456{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValid 734700x800000000000000015181869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.456{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ddraw.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)Microsoft DirectDrawMicrosoft® Windows® Operating SystemMicrosoft CorporationDDraw.dllMD5=6EEDA6E373766904488926822E777536,SHA256=7AC8AECB6E830534DFDF7F7AFA8A8CA8A8E1A4DE753B6A315233B28A0E6D90D4trueMicrosoft WindowsValid 734700x800000000000000015181862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.443{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015181844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.452{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015181831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.441{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015181825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.449{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=B65F2AFD9AA2BE2DBE0E1CE72FF7F75C,SHA256=3B44113F845FD512530AADAA6CC437028E635742D92E28AF57B9F32BA958B697trueMicrosoft WindowsValid 734700x800000000000000015181817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.444{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_e8ebe5c0ed79850d\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=DB9EEA6E4C32315294D22E0C86077356,SHA256=7A60A27BB6178CDF126AFB37DE5AD77F687C33B4326624962CEE26F7361ADC6AtrueMicrosoft WindowsValid 734700x800000000000000015181816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.444{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015181815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.443{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015181814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.443{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValid 734700x800000000000000015181813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.443{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015181812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.442{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015181811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.442{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015181810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.442{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015181809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.442{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015181808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.442{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015181807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.441{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015181805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.433{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015181804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.433{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015181803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.433{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015181802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.433{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015181801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.432{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015181800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.432{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015181799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.432{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015181798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.432{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015181797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.431{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015181796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.431{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015181795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.431{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015181794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.431{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015181793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.431{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015181792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.430{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015181791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.430{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\AppPatch\AcSpecfc.dll10.0.14393.3115 (rs1_release_1.190708-1703)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=DFF7532E4CD772161528925D77EBAC54,SHA256=68B1FF190FD9601E1F441A0AA6D727618BE1A59099278B52178F4BB450E9D257trueMicrosoft WindowsValid 734700x800000000000000015181790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.425{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000015181789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.420{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015181788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.419{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015181787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.418{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015181786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.418{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015181785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.418{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015181784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.418{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015181783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.418{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015181782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.417{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015181781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.417{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015181780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.416{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015181778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.416{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015181777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.416{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exeC:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015181775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.414{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015181774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.414{8B6011A9-B0F1-6155-7237-02000000F001}12529616-{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\temp\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+3c91c|C:\Windows\System32\shell32.dll+e2087|C:\Windows\System32\shell32.dll+e1fe5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000) 154100x800000000000000015181773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:10.414{8B6011A9-E4E6-6155-AD3E-02000000F001}6940C:\Temp\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\temp\winhlp32.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 534500x800000000000000015185843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.961{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exe 734700x800000000000000015185825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.947{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 10341000x800000000000000015185824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.944{8B6011A9-51ED-6143-0C00-00000000F001}8525016C:\Windows\system32\svchost.exe{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\temp\winhlp32.exe.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015185823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.943{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015185822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.943{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\HelpPaneProxy.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Help ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationhelppaneproxy.dllMD5=E2AEBCDD66035AAB459B129946BEC8B8,SHA256=155BADD79618A0E3F14C64D4CAFCC69107B933603CCDDAE4D16CBD1F847495F0trueMicrosoft WindowsValid 734700x800000000000000015185821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.942{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 10341000x800000000000000015185820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.941{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\temp\winhlp32.exe.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015185819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.941{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\temp\winhlp32.exe.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015185818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.941{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015185817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.940{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015185816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.938{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015185815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.937{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015185814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.936{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015185813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.936{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015185812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.936{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015185811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.936{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015185810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.935{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015185809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.935{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015185808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.935{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015185807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.934{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015185806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.934{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015185805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.934{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015185804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.934{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015185802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.933{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015185790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.933{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015185789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.928{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Temp\winhlp32.exe.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 734700x800000000000000015185777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.933{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015185776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.932{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015185775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.931{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015185774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.931{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015185773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.931{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015185771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.930{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015185770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.930{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015185769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.930{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015185768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.929{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015185767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.929{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015185765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.929{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015185763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.928{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000015185762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.927{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\temp\winhlp32.exe.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015185761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.927{8B6011A9-B0F1-6155-7237-02000000F001}12529616䃧⬂䃧⬂䃧⬂䃧⬂䃧⬂䃧⬂䃧⬂䃧⬂䃧⬂䃧⬂WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\temp\winhlp32.exe.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+3c91c|C:\Windows\System32\shell32.dll+e2087|C:\Windows\System32\shell32.dll+e1fe5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+0(wow64) 154100x800000000000000015185760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:26.928{8B6011A9-E4F6-6155-BA3E-02000000F001}6084C:\Temp\winhlp32.exe.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\temp\winhlp32.exe.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000015186888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.980{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 734700x800000000000000015186859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.975{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000015186844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.989{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000015186843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.989{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000015186836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.972{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000015186808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.970{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000015186792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.983{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000015186791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.983{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000015186790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.983{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000015186789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.982{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000015186788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.982{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000015186786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.980{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000015186778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.969{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 12241200x800000000000000015186760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:32.978{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015186758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.978{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000015186757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.977{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000015186756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.977{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000015186755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.977{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000015186751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.972{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000015186750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.972{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000015186741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.961{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 734700x800000000000000015186723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.964{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000015186722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.963{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000015186721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.962{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 12241200x800000000000000015186719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:32.956{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015186718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:32.956{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000015186717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.955{8B6011A9-51ED-6143-0C00-00000000F001}8525016C:\Windows\system32\svchost.exe{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015186716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.954{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015186715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.954{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015186714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.954{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000015186713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.954{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000015186712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.951{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000015186701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.944{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 734700x800000000000000015186699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.950{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000015186686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.950{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000015186685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.950{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000015186684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.949{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000015186683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.949{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000015186682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.949{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000015186681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.949{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000015186680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.948{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000015186679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.948{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000015186678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.948{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000015186676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.948{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015186675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.947{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000015186674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.947{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000015186673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.947{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000015186672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.946{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000015186671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.945{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000015186670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.945{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015186667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.944{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000015186666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.943{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015186665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.943{8B6011A9-B0F1-6155-7237-02000000F001}12527584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015186664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.942{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000015188916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.874{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000015188889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.872{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000015188871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.873{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015188862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.742{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 734700x800000000000000015188836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.727{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 734700x800000000000000015188809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.724{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000015188783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.723{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000015188757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.721{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000015188732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.720{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 734700x800000000000000015188705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.703{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000015188678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.689{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000015188652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.687{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000015188624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.683{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000015188598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.657{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000015188572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.644{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000015188542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.637{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000015188518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.636{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000015188494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.633{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 734700x800000000000000015188466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.630{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000015188442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.624{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000015188414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.623{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000015188386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.597{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 13241300x800000000000000015188239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.729{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015188238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.728{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015188237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.728{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015188236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.728{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x800000000000000015188234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.725{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015188232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.725{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015188231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.725{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015188229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.725{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015188228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.725{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015188227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.725{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015188226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.725{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015188225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.725{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015188224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.725{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015188223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.725{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015188222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.725{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015188221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.725{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015188220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.724{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000015188115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.703{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 12241200x800000000000000015188114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.686{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015188113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.686{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015188111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.686{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015188110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.686{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015188109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.686{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015188107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.686{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015188106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.686{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015188081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.683{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 13241300x800000000000000015188055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.677{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015188054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.676{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015188053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.676{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015188051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.675{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015188050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.675{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015188049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.674{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015188048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.674{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015188047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.674{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015188046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.674{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015188045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.674{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015188044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.674{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015188043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.674{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000015188042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.674{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000015188041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.673{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 13241300x800000000000000015188040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.673{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015188039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.673{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015188038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.673{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015188037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.672{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000015188036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.672{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015188035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.672{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000015188034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.671{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000015188033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.671{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000015188032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.670{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000015188006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.667{8B6011A9-51EB-6143-0B00-00000000F001}6325032C:\Windows\system32\lsass.exe{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015188005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.667{8B6011A9-51EB-6143-0B00-00000000F001}6325032C:\Windows\system32\lsass.exe{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015187979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.662{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000015187978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.661{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000015187977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.660{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015187976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.660{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015187975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.660{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015187974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.659{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015187913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.601{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015187897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.640{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015187896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.640{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015187895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.639{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015187894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.639{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015187893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.639{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015187892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.638{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015187891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.638{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 12241200x800000000000000015187863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.631{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015187862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.630{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015187861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.628{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000015187860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.626{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000015187858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.626{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000015187857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.626{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000015187853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.625{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000015187806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.619{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000015187805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.618{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015187804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.617{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000015187803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.616{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000015187802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.615{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015187801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.615{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000015187800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.615{8B6011A9-51ED-6143-0C00-00000000F001}8525016C:\Windows\system32\svchost.exe{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015187799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.614{8B6011A9-51ED-6143-1600-00000000F001}13248252C:\Windows\System32\svchost.exe{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015187798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.614{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015187797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.613{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015187796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.613{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015187781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.610{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015187770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.609{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000015187768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.608{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015187767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.608{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015187765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.608{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015187764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.608{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015187763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.607{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015187762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.607{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015187761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.607{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015187760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.606{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015187759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.606{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015187758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.606{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015187756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.605{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015187754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.605{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015187753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.605{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015187744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.604{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015187732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.604{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015187726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.604{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 534500x800000000000000015187725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.604{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exe 734700x800000000000000015187724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.602{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015187723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.602{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015187722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.601{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015187721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.600{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015187720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.600{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015187719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.600{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015187718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.599{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015187716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.599{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015187704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.598{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015187694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.598{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000015187687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.597{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015187686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.596{8B6011A9-E4FC-6155-C03E-02000000F001}17809508C:\Windows\System32\WScript.exe{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015187685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.596{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" 734700x800000000000000015187684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.591{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000015187683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.591{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000015187656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.585{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000015187450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.486{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000015187426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.477{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000015187401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.475{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000015187360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.473{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x800000000000000015187334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.471{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000015187307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.467{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 12241200x800000000000000015187288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.472{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000015187287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.472{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000015187275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.217{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000015187246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.217{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000015187221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.215{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000015187201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.096{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 734700x800000000000000015187168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.080{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 734700x800000000000000015187142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.076{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 13241300x800000000000000015187125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.082{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015187123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.081{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015187122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.081{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015187121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.081{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015187120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.081{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015187119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.081{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015187114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.074{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 12241200x800000000000000015187094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.078{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015187093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.078{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015187092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.078{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015187091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.078{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015187090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.078{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015187089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.078{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015187088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.078{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015187087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.078{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015187086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.078{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015187085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.078{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015187084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.078{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015187083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.078{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015187082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.077{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015187080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.077{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000015187073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.072{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 734700x800000000000000015187046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.056{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 12241200x800000000000000015187024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.056{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015187022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.041{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000015187015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.008{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000015186996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.031{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000015186995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.031{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015186994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.031{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015186993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.030{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015186992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.030{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015186991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.030{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015186990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.030{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015186989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.030{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015186988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.028{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015186987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.028{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000015186986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.026{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015186985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.026{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015186984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.025{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015186982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.024{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015186981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.024{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015186980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.024{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015186979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.024{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015186978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.024{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015186977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.024{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015186976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.024{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015186975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.023{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000015186974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.023{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000015186972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.023{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015186971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.023{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000015186970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.023{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015186969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:33.023{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015186967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.022{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015186966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.022{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000015186965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:33.022{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015186964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.021{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000015186963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.020{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000015186962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.020{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000015186961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.019{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000015186960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.016{8B6011A9-51EB-6143-0B00-00000000F001}6325032C:\Windows\system32\lsass.exe{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015186959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.016{8B6011A9-51EB-6143-0B00-00000000F001}6325032C:\Windows\system32\lsass.exe{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015186958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.016{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000015186957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.013{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000015186956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.012{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000015186953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.011{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000015186952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.011{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000015186951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.011{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000015186950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:33.010{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000015186944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.993{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000015186915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:32.982{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 22542200x800000000000000015189398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:51.192{8B6011A9-E4FD-6155-C23E-02000000F001}5260paste.ee0::ffff:104.26.5.223;::ffff:104.26.4.223;::ffff:172.67.68.88;C:\Windows\SysWOW64\wscript.exe 22542200x800000000000000015189397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:50.545{8B6011A9-E4FC-6155-C03E-02000000F001}1780paste.ee0::ffff:104.26.5.223;::ffff:104.26.4.223;::ffff:172.67.68.88;C:\Windows\System32\wscript.exe 734700x800000000000000015189395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.288{8B6011A9-E4FE-6155-C33E-02000000F001}9860C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000015189394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.291{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000015189283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:34.288{8B6011A9-E4FE-6155-C33E-02000000F001}9860C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015189189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.223{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 734700x800000000000000015189148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.210{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000015189133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.228{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000015189131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.226{8B6011A9-E4FD-6155-C23E-02000000F001}52606784C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E4FE-6155-C33E-02000000F001}9860C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015189130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.227{8B6011A9-E4FE-6155-C33E-02000000F001}9860C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 12241200x800000000000000015189128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:34.220{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000015189127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:34.211{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015189126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:34.211{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015189116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.178{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000015189098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.196{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000015189088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.170{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000015189053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.167{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000015189014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.165{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 734700x800000000000000015188977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.163{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000015188951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:34.160{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 12241200x800000000000000015188929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:34.164{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000015188928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:34.164{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 354300x800000000000000015189400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:50.119{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local49398-false104.26.5.223-443https 354300x800000000000000015189399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:49.471{8B6011A9-E4FC-6155-C03E-02000000F001}1780C:\Windows\System32\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local49397-false104.26.5.223-443https 734700x800000000000000015189579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.311{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 13241300x800000000000000015189554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:36.316{8B6011A9-E500-6155-C53E-02000000F001}8404C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015189552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.316{8B6011A9-E500-6155-C53E-02000000F001}8404C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000015189551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.315{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exe 734700x800000000000000015189546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.312{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015189480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.297{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015189478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.297{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015189468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.296{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015189463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.297{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015189462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.297{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015189461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.297{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015189460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.296{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015189458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.296{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015189457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.295{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015189456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.295{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015189455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.295{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015189453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.295{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015189451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.294{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015189450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.294{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015189448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.294{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015189446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.293{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015189444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.293{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015189442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.293{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015189439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.292{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015189437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.292{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015189436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.291{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015189434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.291{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015189432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.291{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015189430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.290{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015189429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.290{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015189428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.290{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015189426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.289{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 10341000x800000000000000015189425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.289{8B6011A9-E4FD-6155-C23E-02000000F001}52606588C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E500-6155-C53E-02000000F001}8404C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015189424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.290{8B6011A9-E500-6155-C53E-02000000F001}8404C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015189423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.289{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015189422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.289{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015189421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.288{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015189420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.288{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015189419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.287{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000015189418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:36.287{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000015189417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.287{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000015189416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:36.287{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015189415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.286{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015189414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.286{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015189413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.286{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015189412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.285{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015189411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.285{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015189410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.285{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015189409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.284{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015189408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.284{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015189407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.282{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015189406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.281{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005820169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000E0C100) 154100x800000000000000015189405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:36.282{8B6011A9-E500-6155-C43E-02000000F001}8444C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 13241300x800000000000000015189692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 16:25:38.353{8B6011A9-E502-6155-C73E-02000000F001}9976C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015189690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.353{8B6011A9-E502-6155-C73E-02000000F001}9976C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000015189670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.340{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exe 734700x800000000000000015189655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.336{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015189652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.335{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015189651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.335{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015189650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.335{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015189649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.334{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015189648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.334{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015189647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.334{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015189646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.334{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015189645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.333{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015189643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.333{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015189642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.333{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015189641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.333{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015189640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.332{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015189638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.332{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015189636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.332{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015189635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.331{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015189633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.331{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015189631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.331{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015189628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.330{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015189626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.330{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015189623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.329{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015189622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.329{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015189620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.329{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015189618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.328{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015189616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.328{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015189615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.328{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015189614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.328{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015189612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.327{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000015189611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.327{8B6011A9-E4FD-6155-C23E-02000000F001}52608288C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E502-6155-C73E-02000000F001}9976C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015189610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.328{8B6011A9-E502-6155-C73E-02000000F001}9976C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015189609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.327{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015189608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.327{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015189607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.326{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015189606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.325{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015189605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.325{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015189604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.324{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000015189603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:38.324{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000015189602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.324{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000015189601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 16:25:38.324{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015189600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.324{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015189599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.324{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015189598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.323{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015189597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.323{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015189596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.323{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015189595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.322{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015189594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.322{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015189593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.322{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015189592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.319{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015189591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.319{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005950169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000E0C0B8) 154100x800000000000000015189590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:38.319{8B6011A9-E502-6155-C63E-02000000F001}4632C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 534500x800000000000000015189921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.488{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exe 734700x800000000000000015189917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.417{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 734700x800000000000000015189888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.416{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 10341000x800000000000000015189868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.421{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015189867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.421{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015189866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.421{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015189865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.421{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000015189864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.420{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015189863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.420{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015189862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.420{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000015189861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.419{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015189860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.419{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015189859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.419{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015189858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.419{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000015189857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.419{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000015189856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.418{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015189855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.418{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015189854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.418{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000015189853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.418{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 18141800x800000000000000015189851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-30 16:25:40.416{8B6011A9-E4FD-6155-C23E-02000000F001}5260\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000015189842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.409{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 734700x800000000000000015189816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.403{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 10341000x800000000000000015189798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.405{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015189797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.405{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015189796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.405{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015189795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.405{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000015189794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.404{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015189793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.404{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015189792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.404{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000015189791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.404{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000015189790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.404{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015189789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.404{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015189788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.404{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000015189787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.404{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000015189785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.395{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 11241100x800000000000000015189784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.402{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000015189783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.401{8B6011A9-E4FD-6155-C23E-02000000F001}5260ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 734700x800000000000000015189778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.392{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 10341000x800000000000000015189756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.398{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015189755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.398{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015189754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.398{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015189753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.398{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015189752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.398{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015189751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.398{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015189750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.398{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000015189748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.393{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 534500x800000000000000015189745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.383{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exe 734700x800000000000000015189744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.379{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015189743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.378{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015189742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.378{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015189741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.378{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015189740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.378{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015189739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.378{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015189738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.378{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015189737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.377{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015189736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.377{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015189735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.377{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015189734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.377{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015189733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.376{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015189732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.376{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015189731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.376{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015189730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.375{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015189729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.375{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015189728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.375{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015189727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.374{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015189726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.374{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015189725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.374{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015189724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.373{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015189723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.373{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015189722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.373{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015189721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.372{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015189720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.372{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015189719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.372{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015189718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.372{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015189717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.371{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015189716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.371{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015189715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.371{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015189714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.370{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015189713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.369{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015189712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.369{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015189711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.368{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015189710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.368{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015189709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.368{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015189708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.368{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015189707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.367{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015189706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.367{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015189705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.367{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015189704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.366{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015189703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.366{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015189702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.366{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015189701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.363{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015189700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.363{8B6011A9-E4FD-6155-C23E-02000000F001}52607968C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000007030169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000E0C088) 154100x800000000000000015189699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 16:25:40.363{8B6011A9-E504-6155-C83E-02000000F001}5676C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-E4FD-6155-C23E-02000000F001}5260C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 10341000x800000000000000015303539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:31.929{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015303340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:31.770{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015304457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:32.549{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015304240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:32.401{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015304053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:32.256{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015303882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:32.156{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015303709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:32.064{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015307170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:33.797{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015306216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:33.382{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015305537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:33.065{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015310386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:42.873{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015309913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:42.764{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015309438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:42.664{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015308978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:42.563{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015308584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:42.481{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015311854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:57.936{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015311402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:57.842{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015311031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:57.758{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015316565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:58.924{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015316096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:58.830{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015315621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:58.730{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015315120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:58.625{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015314671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:58.527{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015314197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:58.431{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015313724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:58.332{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015313254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:58.235{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015312779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:58.136{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015312303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:58.033{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015317517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:59.127{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000015317042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 18:47:59.025{8B6011A9-0643-6156-C742-02000000F001}72447132C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 734700x800000000000000015338268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.911{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000015338244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.918{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000015338242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.915{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000015338241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.913{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000015338240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.913{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000015338239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.912{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000015338238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.912{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000015338236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.911{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000015338229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.661{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000015338202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.659{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000015338176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.659{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000015338133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.546{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 734700x800000000000000015338107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.532{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 734700x800000000000000015338060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.529{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000015338028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.528{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000015337999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.526{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 13241300x800000000000000015337998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.534{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015337997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.534{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015337996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.534{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015337995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.534{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015337992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.533{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015337987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.533{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x800000000000000015337969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.531{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015337968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.530{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015337967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.530{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015337966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.530{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015337965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.530{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015337964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.530{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015337963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.530{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015337962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.530{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015337961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.530{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015337960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.530{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015337959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.530{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015337958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.530{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015337956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.530{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015337955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.524{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 734700x800000000000000015337922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.507{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 12241200x800000000000000015337896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.508{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015337894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.495{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000015337867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.307{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 734700x800000000000000015337840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.304{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000015337815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.295{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000015337790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.290{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000015337763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.284{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000015337738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.274{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000015337711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.271{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 12241200x800000000000000015337686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.307{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015337685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.307{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015337684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.307{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015337683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.307{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015337682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.307{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015337681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.307{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015337680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.307{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015337679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.305{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 13241300x800000000000000015337678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.297{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015337677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.297{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015337676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.296{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015337674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.295{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015337673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.295{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015337672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.295{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015337671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.295{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 734700x800000000000000015337670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.295{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 12241200x800000000000000015337669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.295{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015337668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.295{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015337667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.295{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015337666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.294{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 13241300x800000000000000015337665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.292{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015337664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.292{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000015337663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.292{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015337662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:02.292{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015337661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.291{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000015337660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.291{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015337659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.282{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000015337658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.280{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000015337657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.278{8B6011A9-51EB-6143-0B00-00000000F001}6327220C:\Windows\system32\lsass.exe{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015337656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.278{8B6011A9-51EB-6143-0B00-00000000F001}6327220C:\Windows\system32\lsass.exe{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015337655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.278{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000015337652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.231{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000015337627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.235{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000015337626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.235{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000015337625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.235{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000015337624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.234{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000015337621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.217{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000015337594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.209{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000015337570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.213{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000015337569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.212{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000015337568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.211{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000015337567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.211{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000015337566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.211{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000015337565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.210{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000015337564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.210{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000015337563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.210{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000015337561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.205{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000015337560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.204{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015337559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.204{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000015337558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.204{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000015337557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.203{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000015337556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.203{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000015337555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.200{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000015337554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.197{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000015337553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.196{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000015337552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.179{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000015337527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.182{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000015337526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.180{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000015337523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.171{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 734700x800000000000000015337499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.173{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000015337498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.173{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000015337497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.171{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 12241200x800000000000000015337495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.166{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015337494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:02.166{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000015337493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.165{8B6011A9-51ED-6143-0C00-00000000F001}8529912C:\Windows\system32\svchost.exe{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015337492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.164{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015337491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.164{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015337490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.163{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000015337489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.159{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000015337488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.163{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000015337464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.161{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000015337462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.152{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 734700x800000000000000015337461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.159{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000015337453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.158{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000015337442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.158{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000015337435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.158{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000015337434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.157{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000015337433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.157{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000015337432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.156{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000015337431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.156{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000015337430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.156{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000015337429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.156{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015337427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.155{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000015337426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.155{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000015337425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.155{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000015337424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.154{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000015337423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.153{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000015337422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.153{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015337419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.152{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000015337418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.151{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015337417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.151{8B6011A9-B0F1-6155-7237-02000000F001}12529856C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015337416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:02.150{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 354300x800000000000000015339867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:19.069{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59437-false172.67.68.88-443https 734700x800000000000000015339861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.765{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000015339860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.762{8B6011A9-0C03-6156-BE43-02000000F001}8520C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000015339855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.762{8B6011A9-0C03-6156-BE43-02000000F001}8520C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015339738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.720{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 734700x800000000000000015339700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.707{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000015339676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.726{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000015339673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.724{8B6011A9-0C03-6156-BC43-02000000F001}30688708C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C03-6156-BE43-02000000F001}8520C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015339672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.725{8B6011A9-0C03-6156-BE43-02000000F001}8520C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 12241200x800000000000000015339670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.718{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000015339669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.708{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015339668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.708{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015339665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.694{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000015339664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.662{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000015339634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.655{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000015339594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.653{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000015339552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.651{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 734700x800000000000000015339525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.650{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000015339498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.646{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 12241200x800000000000000015339473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.650{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000015339472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.650{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000015339469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.350{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000015339436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.350{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015339411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.348{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000015339384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.230{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 734700x800000000000000015339334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.214{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 734700x800000000000000015339307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.209{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000015339280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.208{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000015339248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.205{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 13241300x800000000000000015339223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.216{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015339222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.215{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015339221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.215{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015339220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.215{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015339218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.204{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000015339216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.212{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015339209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.211{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015339201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.211{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015339199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.211{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015339194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.211{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015339191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.211{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015339187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.211{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015339186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.211{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015339185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.211{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015339183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.210{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015339182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.210{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015339180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.210{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015339179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.210{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015339151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.188{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 12241200x800000000000000015339113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.189{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015339111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.175{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000015339084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.172{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000015339055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.169{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 12241200x800000000000000015339031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.172{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015339030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.172{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015339029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.172{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015339028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.172{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015339027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.172{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015339026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.172{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015339025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.172{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015339024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.169{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015339022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.160{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 13241300x800000000000000015339021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.163{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015339006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.163{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015338996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.162{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015338993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.160{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015338992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.160{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015338991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.160{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015338990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.160{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015338989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.160{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015338988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.160{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015338987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.160{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015338986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.159{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000015338985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.153{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000015338984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.158{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 13241300x800000000000000015338983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.158{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015338982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.158{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000015338958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.157{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015338957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:03.157{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015338956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.156{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000015338955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.156{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015338954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.155{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000015338952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.154{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000015338949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.151{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015338948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.141{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 10341000x800000000000000015338924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.145{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015338923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.145{8B6011A9-51EB-6143-0B00-00000000F001}6323244C:\Windows\system32\lsass.exe{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015338919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.119{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000015338894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.137{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000015338893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.136{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015338892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.135{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015338891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.135{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015338890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.135{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015338887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.105{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000015338860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.096{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000015338833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.093{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000015338808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.088{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 734700x800000000000000015338783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.099{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015338782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.099{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015338779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.098{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015338778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.098{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015338775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.082{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000015338774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.097{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015338760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.097{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015338752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.096{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015338749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.079{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000015338722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.079{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 12241200x800000000000000015338698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.087{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015338697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.086{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015338695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.086{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000015338694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.085{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000015338693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.083{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000015338692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.083{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000015338691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.082{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000015338688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.071{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 734700x800000000000000015338664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.074{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000015338663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.073{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015338662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.072{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000015338660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.042{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 12241200x800000000000000015338641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.065{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015338640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.064{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000015338634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.064{8B6011A9-51ED-6143-0C00-00000000F001}8529912C:\Windows\system32\svchost.exe{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015338633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.062{8B6011A9-51ED-6143-1600-00000000F001}13243684C:\Windows\System32\svchost.exe{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x800000000000000015338632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.062{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exe 10341000x800000000000000015338631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.062{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015338629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.062{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015338628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.061{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015338615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.058{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015338600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.057{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000015338599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.056{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015338598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.056{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015338597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.055{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015338596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.055{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015338594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.054{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015338593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.054{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015338588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.054{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015338573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.053{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015338566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.053{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015338565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.052{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015338564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.052{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015338563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.052{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015338562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.051{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015338561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.051{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015338560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.051{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015338559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.050{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015338557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.049{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015338556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.049{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015338554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.048{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015338552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.047{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015338551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.047{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015338550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.047{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015338539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.046{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015338517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.044{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015338514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.044{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015338512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.042{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015338511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.042{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000015338510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.041{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015338508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.040{8B6011A9-0C02-6156-B943-02000000F001}63128452C:\Windows\System32\WScript.exe{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015338507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.039{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" 734700x800000000000000015338481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.035{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000015338457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:03.033{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000015338427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:03.027{8B6011A9-0C02-6156-B943-02000000F001}6312C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 22542200x800000000000000015339875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:20.823{8B6011A9-0C03-6156-BC43-02000000F001}3068paste.ee0::ffff:172.67.68.88;::ffff:104.26.5.223;::ffff:104.26.4.223;C:\Windows\SysWOW64\wscript.exe 22542200x800000000000000015339874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:20.142{8B6011A9-0C02-6156-B943-02000000F001}6312paste.ee0::ffff:172.67.68.88;::ffff:104.26.5.223;::ffff:104.26.4.223;C:\Windows\System32\wscript.exe 354300x800000000000000015340050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:19.750{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59438-false172.67.68.88-443https 10341000x800000000000000015340040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.801{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+ca9c|C:\Windows\system32\winsrv.DLL+e3bc|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015340039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.801{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+e279|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x800000000000000015340036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:05.800{8B6011A9-0C05-6156-C043-02000000F001}1828C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015340034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.800{8B6011A9-0C05-6156-C043-02000000F001}1828C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 10341000x800000000000000015340029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.798{8B6011A9-0C05-6156-C243-02000000F001}46325588C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015340028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.798{8B6011A9-0C05-6156-C243-02000000F001}46325588C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015340027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.798{8B6011A9-0C05-6156-C243-02000000F001}46325588C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015340024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.797{8B6011A9-0C05-6156-C243-02000000F001}46325588C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015340023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.797{8B6011A9-0C05-6156-C243-02000000F001}46325588C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015340022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.797{8B6011A9-0C05-6156-C243-02000000F001}46325588C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015340018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.796{8B6011A9-0C05-6156-C243-02000000F001}46325588C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015340017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.796{8B6011A9-0C05-6156-C243-02000000F001}46325588C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000015339943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.775{8B6011A9-0C05-6156-C243-02000000F001}4632C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 80C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x800000000000000015339934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.772{8B6011A9-0BAB-6156-A843-02000000F001}75764072C:\Windows\System32\svchost.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015339933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.772{8B6011A9-0BAB-6156-A843-02000000F001}75764072C:\Windows\System32\svchost.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015339931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.772{8B6011A9-0BAB-6156-A843-02000000F001}75764072C:\Windows\System32\svchost.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015339929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.771{8B6011A9-0C05-6156-BF43-02000000F001}70726360C:\Windows\winhlp32.exe{8B6011A9-0C05-6156-C143-02000000F001}7496C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|UNKNOWN(0000000076FDEF6C)|UNKNOWN(000000007705CF02)|UNKNOWN(000000007701F19A)|UNKNOWN(000000007701E602)|UNKNOWN(000000007701E24A)|UNKNOWN(00000000770167D2)|UNKNOWN(0000000076FD7FC0) 734700x800000000000000015339925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.763{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015339916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.768{8B6011A9-0C03-6156-BC43-02000000F001}30688180C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C05-6156-C043-02000000F001}1828C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015339913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.769{8B6011A9-0C05-6156-C043-02000000F001}1828C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015339898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.766{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015339897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.766{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015339896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.766{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000015339894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:05.765{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000015339893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.765{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 12241200x800000000000000015339892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:05.765{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015339891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.765{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015339890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.764{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015339889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.764{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015339887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.763{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015339885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.763{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000015339884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.761{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015339883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.760{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000058D0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000082FF4B0) 154100x800000000000000015339882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:05.760{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015340207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.836{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 13241300x800000000000000015340179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:12:07.846{8B6011A9-0C07-6156-C443-02000000F001}2508C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015340177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.846{8B6011A9-0C07-6156-C443-02000000F001}2508C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000015340172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.841{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exe 734700x800000000000000015340169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.837{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015340139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.825{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015340138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.825{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015340137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.825{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015340135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.824{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015340134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.824{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015340133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.824{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015340131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.824{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015340130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.823{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015340129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.823{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015340128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.823{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015340127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.822{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015340126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.822{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015340124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.822{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015340123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.821{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015340122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.821{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015340120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.821{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015340118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.820{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015340117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.820{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015340115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.819{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015340111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.818{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015340109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.818{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015340108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.818{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015340106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.817{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015340104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.817{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015340102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.816{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015340100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.816{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015340098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.816{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015340097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.815{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015340096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.815{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015340094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.814{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 10341000x800000000000000015340093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.814{8B6011A9-0C03-6156-BC43-02000000F001}30686292C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C07-6156-C443-02000000F001}2508C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015340092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.815{8B6011A9-0C07-6156-C443-02000000F001}2508C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015340091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.813{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015340090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.813{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015340089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.812{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015340088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.812{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015340087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.812{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000015340086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:07.811{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015340085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:12:07.811{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015340084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.811{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015340083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.811{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015340082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.810{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015340081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.810{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015340080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.809{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015340079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.809{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015340078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.809{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015340077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.806{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015340076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.806{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005BB0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000082FF540) 154100x800000000000000015340075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.806{8B6011A9-0C07-6156-C343-02000000F001}6568C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 534500x800000000000000015340063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:07.106{8B6011A9-0C05-6156-BF43-02000000F001}7072C:\Windows\winhlp32.exe 534500x800000000000000015340417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.921{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exe 734700x800000000000000015340416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.899{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 734700x800000000000000015340389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.898{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 10341000x800000000000000015340364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.902{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015340363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.902{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015340362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.902{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015340361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.902{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000015340360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.902{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015340359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.901{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015340358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.901{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000015340357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.901{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015340356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.901{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015340355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.901{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015340354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.901{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000015340353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.901{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000015340352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.900{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015340351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.900{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015340350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.900{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000015340349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.900{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 18141800x800000000000000015340347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-30 19:12:09.898{8B6011A9-0C03-6156-BC43-02000000F001}3068\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000015340345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.891{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000015340318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.887{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015340317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.887{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015340316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.887{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015340315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.887{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000015340314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.886{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015340313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.886{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015340312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.886{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000015340311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.886{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000015340310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.885{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015340309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.885{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015340308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.885{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000015340307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.885{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000015340306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.885{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 734700x800000000000000015340305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.876{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 11241100x800000000000000015340304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.884{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000015340303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.884{8B6011A9-0C03-6156-BC43-02000000F001}3068ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 734700x800000000000000015340300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.873{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 10341000x800000000000000015340299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.881{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015340298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.881{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015340297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.881{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015340296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.881{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015340291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.880{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015340285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.880{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015340283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.880{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000015340268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.874{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 534500x800000000000000015340265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.873{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exe 734700x800000000000000015340264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.869{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015340263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.868{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015340262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.868{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015340261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.868{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015340260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.868{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015340259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.868{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015340258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.867{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015340257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.867{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015340256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.867{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015340255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.866{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015340254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.866{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015340253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.866{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015340252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.865{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015340251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.865{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015340250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.865{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015340249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.864{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015340248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.864{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015340247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.864{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015340246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.863{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015340245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.863{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015340244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.862{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015340243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.862{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015340242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.861{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015340241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.861{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015340240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.861{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015340239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.860{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015340238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.860{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015340237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.859{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015340236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.859{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015340235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.859{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015340234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.858{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015340233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.857{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015340232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.857{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015340231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.856{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015340230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.856{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015340229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.856{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015340228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.855{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015340227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.855{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015340226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.855{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015340225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.854{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015340224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.854{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015340223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.854{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015340222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.853{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015340221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.851{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015340220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.850{8B6011A9-0C03-6156-BC43-02000000F001}30683356C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000007130169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000082FF4C8) 154100x800000000000000015340219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:12:09.850{8B6011A9-0C09-6156-C543-02000000F001}7316C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-0C03-6156-BC43-02000000F001}3068C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015341931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.997{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000015341930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.996{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000015341929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.994{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015341928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.994{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015341927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.993{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015341926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.993{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015341925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.992{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015341924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.992{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015341923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.992{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015341922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.991{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000015341921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.990{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000015341920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.990{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000015341919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.989{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015341918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.988{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015341917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.988{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000015341916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.987{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000015341915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.985{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000015341914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.985{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000015341913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.985{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000015341912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.984{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000015341911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.983{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000015341910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.983{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000015341909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.982{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000015341908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.981{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015341907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.980{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000015341906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.979{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000015341905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.978{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015341904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.978{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000015341903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.978{8B6011A9-51ED-6143-0C00-00000000F001}8524728C:\Windows\system32\svchost.exe{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015341902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.977{8B6011A9-51ED-6143-1600-00000000F001}13243684C:\Windows\System32\svchost.exe{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015341901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.976{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015341900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.976{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015341899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.976{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015341898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.973{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015341897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.972{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000015341896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.972{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015341895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.971{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015341894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.971{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015341893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.970{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015341892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.970{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015341891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.970{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015341890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.969{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015341889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.969{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015341888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.969{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015341887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.968{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015341886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.968{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015341885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.968{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015341884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.968{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015341883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.967{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015341882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.967{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 534500x800000000000000015341881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.967{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exe 734700x800000000000000015341880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.967{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015341879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.965{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015341878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.965{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015341877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.964{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015341876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.964{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015341875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.964{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015341874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.963{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015341873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.963{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015341872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.962{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015341871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.962{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015341870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.961{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015341869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.961{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015341868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.961{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000015341867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.960{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015341866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.959{8B6011A9-0C56-6156-D243-02000000F001}72446760C:\Windows\System32\WScript.exe{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015341865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.960{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" 734700x800000000000000015341864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.956{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000015341863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.955{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000015341862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.950{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000015341828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.931{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000015341827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.922{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000015341826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.920{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000015341825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.918{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000015341824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.918{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000015341823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.917{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000015341822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.917{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000015341821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.913{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000015341816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.661{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000015341815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.661{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000015341814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.660{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000015341813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.539{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000015341812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.527{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015341811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.527{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015341810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.527{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015341809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.527{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015341808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.527{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015341807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.526{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015341806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.526{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000015341805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.525{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015341804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.525{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015341803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.525{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015341802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.525{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015341801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.525{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015341800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.525{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015341799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.525{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015341798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.525{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015341797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.525{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015341796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.525{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015341795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.525{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015341794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.525{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015341793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.524{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015341792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.524{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000015341791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.523{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000015341790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.523{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000015341789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.523{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000015341788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.510{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015341787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.509{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000015341786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.499{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000015341785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.498{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000015341784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.498{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.498{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.498{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.498{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.498{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.498{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.498{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.496{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015341776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.495{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000015341775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.493{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015341774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.493{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015341773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.493{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015341771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.491{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015341770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.491{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015341769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.491{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015341768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.491{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015341767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.491{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015341766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.491{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015341765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.491{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015341764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.491{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000015341763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.490{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000015341762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.490{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015341761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.490{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000015341760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.490{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015341759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:26.490{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015341758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.489{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015341757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.489{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000015341756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.489{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015341755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.489{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000015341754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.488{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000015341753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.488{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000015341752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.487{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000015341751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.485{8B6011A9-51EB-6143-0B00-00000000F001}6326824C:\Windows\system32\lsass.exe{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015341750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.485{8B6011A9-51EB-6143-0B00-00000000F001}6326824C:\Windows\system32\lsass.exe{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015341749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.484{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000015341748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.481{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000015341747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.479{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000015341746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.457{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000015341736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.479{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000015341720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.458{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000015341718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.458{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000015341716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.442{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000015341715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.441{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000015341714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.439{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000015341713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.439{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000015341712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.439{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000015341711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.438{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000015341710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.438{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000015341709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.438{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000015341708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.438{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000015341707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.437{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000015341706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.436{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000015341705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.435{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000015341704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.434{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015341703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.434{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000015341702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.433{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000015341701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.433{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000015341700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.433{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000015341699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.431{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000015341698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.431{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000015341697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.430{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000015341696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.430{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000015341695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.429{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000015341694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.428{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000015341693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.427{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000015341692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.427{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000015341691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.425{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000015341690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.424{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000015341689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.424{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015341688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:26.424{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000015341687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.423{8B6011A9-51ED-6143-0C00-00000000F001}8524728C:\Windows\system32\svchost.exe{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015341686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.422{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015341685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.422{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015341684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.422{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000015341683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.421{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000015341682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.419{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000015341681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.418{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000015341680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.417{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000015341679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.417{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000015341678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.417{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000015341677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.416{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000015341676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.416{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000015341675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.416{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000015341674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.415{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000015341673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.415{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000015341672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.415{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000015341671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.415{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015341670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.414{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000015341669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.414{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000015341668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.414{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000015341667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.414{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000015341666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.413{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000015341665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.412{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015341664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.412{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015341663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.411{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000015341662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.410{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015341661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.410{8B6011A9-B0F1-6155-7237-02000000F001}125210204C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015341660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.410{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000015342115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.532{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000015342111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.529{8B6011A9-0C57-6156-D443-02000000F001}3860C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015342109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.529{8B6011A9-0C57-6156-D443-02000000F001}3860C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000015342060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.500{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000015342058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.499{8B6011A9-0C56-6156-D343-02000000F001}79724036C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C57-6156-D443-02000000F001}3860C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015342057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.499{8B6011A9-0C57-6156-D443-02000000F001}3860C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015342056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.495{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000015342055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.494{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000015342054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.485{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015342053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.485{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015342052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.484{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000015342051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.482{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000015342019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.465{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000015342018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.464{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000015342017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.462{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000015342016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.462{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000015342015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.461{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000015342014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.461{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000015342013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.460{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000015342012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.460{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 734700x800000000000000015342008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.175{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015342007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.175{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000015342006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.174{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000015341999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.058{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000015341998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.047{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015341997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.047{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015341996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.046{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015341995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.046{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015341994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.045{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000015341993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.045{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015341992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.045{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015341991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.044{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015341990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.044{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015341989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.044{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015341988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.044{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015341987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.044{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015341986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.044{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015341985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.044{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015341984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.044{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015341983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.044{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015341982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.044{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015341981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.044{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015341980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.043{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000015341979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.043{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000015341978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.042{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000015341977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.042{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000015341976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.031{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015341975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.031{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000015341974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.021{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000015341973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.021{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000015341972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.021{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.021{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.020{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.020{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.020{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.020{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.020{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015341965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.018{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015341964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.018{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000015341963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.015{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015341962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.015{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015341961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.014{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015341959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.013{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015341958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.013{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015341957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.013{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015341956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.013{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015341955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.013{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015341954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.013{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015341953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.013{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015341952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.012{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015341951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.012{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000015341950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.012{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000015341949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.012{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 13241300x800000000000000015341948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.012{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015341947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:27.012{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015341946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.011{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015341945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.011{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000015341944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:27.011{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015341943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.010{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000015341942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.009{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000015341941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.009{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000015341940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.008{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000015341939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.006{8B6011A9-51EB-6143-0B00-00000000F001}6326824C:\Windows\system32\lsass.exe{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015341938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.006{8B6011A9-51EB-6143-0B00-00000000F001}6326824C:\Windows\system32\lsass.exe{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015341937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.002{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000015341936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.000{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000015341935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.000{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015341934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:27.000{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015341933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.999{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015341932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:26.999{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 354300x800000000000000015342126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:43.076{8B6011A9-0C56-6156-D243-02000000F001}7244C:\Windows\System32\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59484-false172.67.68.88-443https 22542200x800000000000000015342122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.673{8B6011A9-0C56-6156-D343-02000000F001}7972paste.ee0::ffff:172.67.68.88;::ffff:104.26.5.223;::ffff:104.26.4.223;C:\Windows\SysWOW64\wscript.exe 22542200x800000000000000015342121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.151{8B6011A9-0C56-6156-D243-02000000F001}7244paste.ee0::ffff:172.67.68.88;::ffff:104.26.5.223;::ffff:104.26.4.223;C:\Windows\System32\wscript.exe 354300x800000000000000015342120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:43.597{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59485-false172.67.68.88-443https 10341000x800000000000000015342264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.564{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+ca9c|C:\Windows\system32\winsrv.DLL+e3bc|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015342263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.564{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+e279|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x800000000000000015342260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:29.564{8B6011A9-0C59-6156-D643-02000000F001}3932C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015342258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.564{8B6011A9-0C59-6156-D643-02000000F001}3932C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 10341000x800000000000000015342253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.562{8B6011A9-0C59-6156-D843-02000000F001}53047364C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015342252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.561{8B6011A9-0C59-6156-D843-02000000F001}53047364C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015342251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.561{8B6011A9-0C59-6156-D843-02000000F001}53047364C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015342248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.561{8B6011A9-0C59-6156-D843-02000000F001}53047364C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015342247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.561{8B6011A9-0C59-6156-D843-02000000F001}53047364C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015342246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.560{8B6011A9-0C59-6156-D843-02000000F001}53047364C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015342242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.559{8B6011A9-0C59-6156-D843-02000000F001}53047364C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015342241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.559{8B6011A9-0C59-6156-D843-02000000F001}53047364C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000015342166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.537{8B6011A9-0C59-6156-D843-02000000F001}5304C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 80C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x800000000000000015342156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.534{8B6011A9-0BAB-6156-A843-02000000F001}75766092C:\Windows\System32\svchost.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015342155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.534{8B6011A9-0BAB-6156-A843-02000000F001}75766092C:\Windows\System32\svchost.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015342154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.534{8B6011A9-0BAB-6156-A843-02000000F001}75766092C:\Windows\System32\svchost.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015342153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.533{8B6011A9-0C59-6156-D543-02000000F001}53205856C:\Windows\winhlp32.exe{8B6011A9-0C59-6156-D743-02000000F001}6416C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|UNKNOWN(0000000076FDEF6C)|UNKNOWN(000000007705CF02)|UNKNOWN(000000007701F19A)|UNKNOWN(000000007701E602)|UNKNOWN(000000007701E24A)|UNKNOWN(00000000770167D2)|UNKNOWN(0000000076FD7FC0) 10341000x800000000000000015342148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.531{8B6011A9-0C56-6156-D343-02000000F001}79727964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C59-6156-D643-02000000F001}3932C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015342147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.531{8B6011A9-0C59-6156-D643-02000000F001}3932C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015342146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.529{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015342145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.528{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000015342144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:29.528{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015342143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:29.528{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015342142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.528{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015342141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.528{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015342140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.527{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015342139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.527{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015342138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.527{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015342137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.526{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015342136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.526{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015342135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.526{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015342134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.523{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015342133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.523{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005D70169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000084B2FB8) 154100x800000000000000015342132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:29.523{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 13241300x800000000000000015342400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:31.624{8B6011A9-0C5B-6156-DA43-02000000F001}4388C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015342397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.624{8B6011A9-0C5B-6156-DA43-02000000F001}4388C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000015342376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.609{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exe 734700x800000000000000015342364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.605{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015342360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.604{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015342359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.604{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015342357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.603{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015342356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.603{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015342355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.603{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015342354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.603{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015342353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.603{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015342352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.602{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015342351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.602{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015342350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.602{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015342348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.601{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015342347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.601{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015342346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.600{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015342344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.600{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015342342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.599{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015342341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.599{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015342340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.599{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015342338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.599{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015342336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.598{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015342332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.597{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015342331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.597{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015342329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.597{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015342327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.596{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015342326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.596{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015342324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.596{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015342322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.595{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015342320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.595{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015342319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.595{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015342317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.594{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 10341000x800000000000000015342316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.594{8B6011A9-0C56-6156-D343-02000000F001}79726944C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C5B-6156-DA43-02000000F001}4388C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000015342315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.594{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 154100x800000000000000015342314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.594{8B6011A9-0C5B-6156-DA43-02000000F001}4388C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015342313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.593{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015342312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.592{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015342311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.591{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015342310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.591{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015342309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.591{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000015342308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:31.591{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015342307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:31.591{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015342306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.590{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015342305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.590{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015342304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.590{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015342303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.589{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015342302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.589{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015342301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.588{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015342300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.588{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015342299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.586{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015342298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.585{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000006150169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000084B2EB0) 154100x800000000000000015342297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.585{8B6011A9-0C5B-6156-D943-02000000F001}10164C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 534500x800000000000000015342289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:31.313{8B6011A9-0C59-6156-D543-02000000F001}5320C:\Windows\winhlp32.exe 534500x800000000000000015342521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.686{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000015342520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.673{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015342519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.672{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015342518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.672{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015342517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.672{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000015342516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.672{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015342515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.672{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015342514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.671{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000015342513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.671{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015342512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.671{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015342511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.671{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015342510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.671{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000015342509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.671{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000015342508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.670{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015342507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.670{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015342506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.670{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000015342505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.670{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000015342504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.669{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000015342503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-30 19:13:33.668{8B6011A9-0C56-6156-D343-02000000F001}7972\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000015342502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.668{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000015342501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.667{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000015342500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.664{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015342499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.664{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015342498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.664{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015342497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.664{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000015342496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.663{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015342495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.663{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015342494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.663{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000015342493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.663{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000015342492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.663{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015342491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.663{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015342490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.663{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000015342489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.663{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000015342488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.662{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000015342487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.662{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000015342486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.661{8B6011A9-0C56-6156-D343-02000000F001}7972ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000015342485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.659{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015342484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.659{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015342483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.659{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015342482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.659{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015342481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.659{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015342480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.659{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015342479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.659{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000015342478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.656{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000015342477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.654{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000015342476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.654{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000015342475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.649{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exe 734700x800000000000000015342474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.645{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015342473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.644{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015342472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.644{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015342471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.644{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015342470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.644{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015342469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.644{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015342468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.644{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015342467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.643{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015342466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.643{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015342465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.643{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015342464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.643{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015342463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.642{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015342462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.642{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015342461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.642{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015342460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.641{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015342459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.641{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015342458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.640{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015342457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.640{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015342456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.640{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015342455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.639{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015342454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.639{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015342453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.638{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015342452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.638{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015342451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.638{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015342450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.637{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015342449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.637{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015342448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.637{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015342447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.636{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015342446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.636{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015342445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.636{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015342444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.635{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015342443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.635{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015342442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.634{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015342441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.634{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015342440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.633{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015342439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.633{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015342438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.632{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015342437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.632{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015342436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.632{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015342435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.631{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015342434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.631{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015342433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.630{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015342432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.630{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015342431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.630{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015342430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.627{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015342429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.627{8B6011A9-0C56-6156-D343-02000000F001}79725612C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000075D0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000084B2EF8) 154100x800000000000000015342428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:33.627{8B6011A9-0C5D-6156-DB43-02000000F001}10056C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-0C56-6156-D343-02000000F001}7972C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015342862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.937{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015342861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.937{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000015342860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.936{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000015342857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.825{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000015342854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.812{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015342853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.811{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015342852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.811{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015342851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.811{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015342850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.810{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000015342849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.810{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015342848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.809{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015342847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.809{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015342846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.809{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015342845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.809{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015342844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.809{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015342843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.809{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015342842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.809{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015342841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.809{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015342840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.809{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015342839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.809{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015342838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.809{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015342837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.809{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015342836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.808{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000015342835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.807{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000015342834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.807{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000015342833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.807{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000015342832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.790{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015342831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.789{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000015342830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.778{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000015342829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.777{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000015342828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.777{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.777{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.777{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.777{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.777{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.777{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.777{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.774{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015342820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.774{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000015342819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.772{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015342818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.772{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015342817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.772{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015342815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.770{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015342814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.770{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015342813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.770{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015342812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.770{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015342811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.770{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015342810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.770{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015342809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.770{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015342808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.769{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015342807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.769{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000015342806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.769{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000015342805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.769{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 13241300x800000000000000015342804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.769{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015342803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.769{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015342802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.768{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015342801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.768{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000015342800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.768{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015342799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.767{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000015342798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.767{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000015342797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.766{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000015342796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.765{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000015342795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.763{8B6011A9-51EB-6143-0B00-00000000F001}6326824C:\Windows\system32\lsass.exe{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015342794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.763{8B6011A9-51EB-6143-0B00-00000000F001}6326824C:\Windows\system32\lsass.exe{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015342793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.759{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000015342792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.758{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000015342791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.757{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015342790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.757{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015342789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.757{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015342788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.756{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015342787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.754{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000015342786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.753{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000015342785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.751{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015342784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.750{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015342783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.750{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015342782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.750{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015342781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.750{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015342780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.749{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015342779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.749{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015342778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.748{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000015342777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.747{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000015342776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.746{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000015342775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.745{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015342774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.745{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015342773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.744{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000015342772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.744{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000015342771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.742{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000015342770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.742{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000015342769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.742{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000015342768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.741{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000015342767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.740{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000015342766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.740{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000015342765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.739{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000015342764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.738{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015342763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.737{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000015342762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.736{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000015342761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.736{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015342760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.736{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000015342759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.735{8B6011A9-51ED-6143-0C00-00000000F001}8524728C:\Windows\system32\svchost.exe{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015342758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.734{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015342757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.734{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015342756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.733{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015342755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.733{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015342754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.730{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015342753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.729{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000015342752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.729{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015342751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.728{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015342750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.728{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015342749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.728{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015342748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.727{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015342747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.727{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015342746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.727{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015342745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.726{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015342744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.726{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015342743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.726{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015342742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.725{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015342741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.725{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015342740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.725{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015342739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.724{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 534500x800000000000000015342738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.724{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exe 734700x800000000000000015342737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.724{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015342736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.724{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015342735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.723{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015342734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.722{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015342733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.721{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015342732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.721{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015342731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.721{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015342730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.720{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015342729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.720{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015342728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.720{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015342727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.719{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015342726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.718{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015342725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.718{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015342724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.718{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000015342723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.717{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015342722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.717{8B6011A9-0C65-6156-DC43-02000000F001}14285436C:\Windows\System32\WScript.exe{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015342721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.717{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" 734700x800000000000000015342720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.713{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000015342719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.712{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000015342718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.707{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000015342705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.698{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000015342704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.696{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000015342703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.695{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000015342702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.694{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000015342701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.694{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000015342700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.694{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000015342699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.693{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000015342698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.693{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000015342694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.441{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000015342693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.441{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000015342692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.440{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000015342691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.297{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000015342690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.284{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015342689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.284{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015342688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.284{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015342687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.284{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015342686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.284{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015342685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.283{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015342684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.283{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000015342683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.282{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015342682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.282{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015342681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.282{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015342680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.282{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015342679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.282{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015342678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.282{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015342677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.282{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015342676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.282{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015342675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.282{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015342674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.282{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015342673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.282{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015342672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.282{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015342671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.281{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015342670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.281{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000015342669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.280{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000015342668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.280{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000015342667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.280{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000015342666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.265{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015342665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.265{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000015342664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.253{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000015342663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.253{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000015342662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.253{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.252{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.252{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.252{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.252{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.252{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.252{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015342655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.250{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015342654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.250{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000015342653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.248{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015342652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.248{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015342651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.247{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015342649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.246{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015342648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.246{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015342647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.246{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015342646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.246{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015342645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.246{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015342644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.246{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015342643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.246{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015342642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.246{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 13241300x800000000000000015342641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.245{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015342640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.245{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000015342639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.245{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000015342638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.245{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015342637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:41.245{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015342636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.245{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015342635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.245{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000015342634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.244{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015342633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.244{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000015342632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.243{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000015342631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.243{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000015342630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.242{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000015342629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.240{8B6011A9-51EB-6143-0B00-00000000F001}6326824C:\Windows\system32\lsass.exe{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015342628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.240{8B6011A9-51EB-6143-0B00-00000000F001}6326824C:\Windows\system32\lsass.exe{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015342627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.240{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000015342626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.236{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000015342625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.236{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000015342624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.235{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000015342623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.235{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000015342622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.235{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000015342621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.234{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000015342620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.232{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000015342619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.231{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000015342618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.229{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000015342617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.229{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000015342616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.229{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000015342615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.229{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000015342614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.228{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000015342613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.228{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000015342612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.228{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000015342611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.227{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000015342610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.227{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000015342609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.226{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000015342608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.225{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015342607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.225{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000015342606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.225{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000015342605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.224{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000015342604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.224{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000015342603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.222{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000015342602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.222{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000015342601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.222{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000015342600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.221{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000015342599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.220{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000015342598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.220{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000015342597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.219{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000015342596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.218{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000015342595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.217{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000015342594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.217{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000015342593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.216{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015342592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:41.216{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000015342591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.215{8B6011A9-51ED-6143-0C00-00000000F001}8524728C:\Windows\system32\svchost.exe{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015342590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.214{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015342589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.214{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015342588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.214{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000015342587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.213{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000015342586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.211{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000015342585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.210{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000015342584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.209{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000015342583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.209{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000015342582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.209{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000015342581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.208{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000015342580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.208{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000015342579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.208{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000015342578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.208{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000015342577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.207{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000015342576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.207{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000015342575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.207{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015342574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.206{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000015342573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.206{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000015342572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.206{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000015342571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.205{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000015342570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.204{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000015342569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.204{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015342568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.203{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015342567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.203{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000015342566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.202{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015342565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.202{8B6011A9-B0F1-6155-7237-02000000F001}12525396C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015342564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:41.202{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000015342965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.303{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000015342961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:42.299{8B6011A9-0C66-6156-DE43-02000000F001}3356C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015342959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.299{8B6011A9-0C66-6156-DE43-02000000F001}3356C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000015342910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.272{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000015342908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.271{8B6011A9-0C65-6156-DD43-02000000F001}86447072C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C66-6156-DE43-02000000F001}3356C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015342907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.271{8B6011A9-0C66-6156-DE43-02000000F001}3356C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015342906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.267{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000015342905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:42.266{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000015342904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:42.257{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015342903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:42.257{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015342902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.256{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000015342901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.254{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000015342874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.239{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000015342873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.238{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000015342872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.236{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000015342871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.235{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000015342870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:42.234{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000015342869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:42.234{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000015342868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.234{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000015342867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:42.234{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 354300x800000000000000015342977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:58.356{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59496-false172.67.68.88-443https 354300x800000000000000015342976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.831{8B6011A9-0C65-6156-DC43-02000000F001}1428C:\Windows\System32\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59495-false172.67.68.88-443https 22542200x800000000000000015342973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.430{8B6011A9-0C65-6156-DD43-02000000F001}8644paste.ee0::ffff:172.67.68.88;::ffff:104.26.5.223;::ffff:104.26.4.223;C:\Windows\SysWOW64\wscript.exe 22542200x800000000000000015342972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:58.905{8B6011A9-0C65-6156-DC43-02000000F001}1428paste.ee0::ffff:172.67.68.88;::ffff:104.26.5.223;::ffff:104.26.4.223;C:\Windows\System32\wscript.exe 13241300x800000000000000015343084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:44.345{8B6011A9-0C68-6156-E043-02000000F001}6348C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015343082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.345{8B6011A9-0C68-6156-E043-02000000F001}6348C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000015343061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.330{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exe 734700x800000000000000015343048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.326{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015343045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.325{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015343044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.325{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015343043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.325{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015343041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.324{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015343040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.324{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015343039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.324{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015343038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.324{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015343037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.324{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015343036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.324{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015343035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.323{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015343033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.323{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015343032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.323{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015343031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.322{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015343029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.322{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015343027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.322{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015343026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.321{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015343024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.321{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015343022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.320{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015343020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.320{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015343017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.319{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015343015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.319{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015343013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.319{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015343012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.318{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015343010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.318{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015343008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.317{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015343006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.317{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015343005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.317{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015343004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.316{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015343002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.316{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 10341000x800000000000000015343001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.316{8B6011A9-0C65-6156-DD43-02000000F001}86443936C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C68-6156-E043-02000000F001}6348C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015343000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.316{8B6011A9-0C68-6156-E043-02000000F001}6348C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015342999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.316{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015342998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.314{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015342997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.314{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015342996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.313{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015342995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.313{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015342994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.313{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000015342993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:44.313{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015342992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:44.312{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015342991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.312{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015342990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.312{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015342989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.312{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015342988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.311{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015342987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.311{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015342986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.310{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015342985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.310{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015342984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.308{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015342983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.307{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000006140169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000008737FE0) 154100x800000000000000015342982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:44.307{8B6011A9-0C68-6156-DF43-02000000F001}5368C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 13241300x800000000000000015343199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:46.387{8B6011A9-0C6A-6156-E243-02000000F001}4864C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000015343197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.386{8B6011A9-0C6A-6156-E243-02000000F001}4864C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000015343177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.371{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exe 734700x800000000000000015343164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.367{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015343161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.366{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015343159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.366{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015343158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.366{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015343157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.366{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015343155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.365{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015343154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.365{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015343153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.365{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015343152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.365{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015343151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.365{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015343150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.364{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015343149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.364{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015343147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.364{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015343146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.363{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015343145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.363{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015343144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.363{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015343142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.362{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015343140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.362{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015343139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.362{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015343137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.361{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015343135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.361{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015343131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.360{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015343130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.359{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015343128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.359{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015343126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.358{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015343125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.358{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015343122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.358{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015343120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.357{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015343119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.357{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015343118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.357{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015343116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.356{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 10341000x800000000000000015343115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.356{8B6011A9-0C65-6156-DD43-02000000F001}86447136C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C6A-6156-E243-02000000F001}4864C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015343114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.356{8B6011A9-0C6A-6156-E243-02000000F001}4864C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000015343113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.356{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015343112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.355{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015343111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.354{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015343110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.354{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015343109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.353{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000015343108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:46.353{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000015343107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.353{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000015343106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:46.353{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015343105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.353{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015343104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.352{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015343103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.352{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015343102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.352{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015343101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.351{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015343100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.351{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015343099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.350{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015343098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.348{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015343097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.347{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000061D0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000008737ED8) 154100x800000000000000015343096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:46.347{8B6011A9-0C6A-6156-E143-02000000F001}4004C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 534500x800000000000000015343337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.456{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000015343336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.438{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015343335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.438{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015343334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.437{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015343333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.437{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000015343332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.437{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015343329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.436{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015343328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.436{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000015343327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.436{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015343324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.436{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015343323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.435{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015343322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.435{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000015343321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.435{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000015343318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.434{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015343317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.434{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015343316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.433{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000015343315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.433{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000015343314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.432{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000015343313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-30 19:13:48.432{8B6011A9-0C65-6156-DD43-02000000F001}8644\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000015343312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.431{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000015343311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.431{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000015343310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.428{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+ca9c|C:\Windows\system32\winsrv.DLL+e3bc|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015343309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.428{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+e279|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015343308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.427{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015343307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.427{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015343306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.427{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015343305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.427{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000015343304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.427{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015343303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.427{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015343302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.427{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000015343301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.427{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000015343299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.426{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015343298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.426{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015343297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.426{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000015343296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.426{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000015343295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.425{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000015343294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.425{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 10341000x800000000000000015343293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.425{8B6011A9-0C6C-6156-E543-02000000F001}78928368C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015343292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.425{8B6011A9-0C6C-6156-E543-02000000F001}78928368C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015343291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.425{8B6011A9-0C6C-6156-E543-02000000F001}78928368C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000015343290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.425{8B6011A9-0C65-6156-DD43-02000000F001}8644ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000015343288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.424{8B6011A9-0C6C-6156-E543-02000000F001}78928368C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015343287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.424{8B6011A9-0C6C-6156-E543-02000000F001}78928368C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015343286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.424{8B6011A9-0C6C-6156-E543-02000000F001}78928368C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015343282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.422{8B6011A9-0C6C-6156-E543-02000000F001}78928368C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015343281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.422{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015343280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.422{8B6011A9-0C6C-6156-E543-02000000F001}78928368C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015343279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.422{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015343278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.422{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015343276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.422{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015343275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.422{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015343274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.422{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015343273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.422{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000015343271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.418{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000015343266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.417{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000015343264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.416{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 154100x800000000000000015343229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.403{8B6011A9-0C6C-6156-E543-02000000F001}7892C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10088 -s 80C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x800000000000000015343227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.400{8B6011A9-0BAB-6156-A843-02000000F001}75766092C:\Windows\System32\svchost.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015343226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.400{8B6011A9-0BAB-6156-A843-02000000F001}75766092C:\Windows\System32\svchost.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015343225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.400{8B6011A9-0BAB-6156-A843-02000000F001}75766092C:\Windows\System32\svchost.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015343224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.400{8B6011A9-0C6C-6156-E343-02000000F001}1008810232C:\Windows\winhlp32.exe{8B6011A9-0C6C-6156-E443-02000000F001}10200C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|UNKNOWN(0000000076FDEF6C)|UNKNOWN(000000007705CF02)|UNKNOWN(000000007701F19A)|UNKNOWN(000000007701E602)|UNKNOWN(000000007701E24A)|UNKNOWN(00000000770167D2)|UNKNOWN(0000000076FD7FC0) 734700x800000000000000015343223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.395{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015343222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.394{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015343221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.394{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015343220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.394{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015343219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.394{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015343218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.393{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015343217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.393{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015343216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.392{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015343215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.392{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015343214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.392{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015343213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.389{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015343212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.389{8B6011A9-0C65-6156-DD43-02000000F001}86446396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000007750169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000008737DD0) 154100x800000000000000015343211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:48.389{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-0C65-6156-DD43-02000000F001}8644C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 534500x800000000000000015343366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:50.234{8B6011A9-0C6C-6156-E343-02000000F001}10088C:\Windows\winhlp32.exe 734700x800000000000000015343778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.983{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000015343777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.983{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000015343776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.982{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000015343773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.865{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000015343772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.851{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015343771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.851{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015343770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.851{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015343769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.851{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015343768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.850{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000015343767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.850{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015343766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.850{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015343765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.849{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015343764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.849{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015343763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.849{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015343762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.849{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015343761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.849{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015343760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.849{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015343759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.849{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015343758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.849{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015343757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.849{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015343756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.849{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015343755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.849{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015343754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.848{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000015343753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.848{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000015343752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.847{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000015343751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.847{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000015343750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.832{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015343749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.832{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000015343748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.819{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000015343747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.819{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000015343746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.819{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.819{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.819{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.819{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.818{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.818{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.818{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.816{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015343738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.816{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000015343737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.814{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015343736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.814{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015343735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.813{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015343732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.812{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015343731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.812{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015343730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.812{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015343729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.812{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015343728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.812{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015343727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.811{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015343726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.811{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015343724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.811{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015343723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.811{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000015343722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.810{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000015343721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.810{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 13241300x800000000000000015343720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.810{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015343719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.810{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015343718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.809{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015343717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.809{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000015343716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.809{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015343715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.808{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000015343714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.808{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000015343713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.807{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000015343712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.806{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000015343711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.804{8B6011A9-51EB-6143-0B00-00000000F001}6326824C:\Windows\system32\lsass.exe{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015343710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.804{8B6011A9-51EB-6143-0B00-00000000F001}6326824C:\Windows\system32\lsass.exe{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015343709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.800{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000015343708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.799{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000015343707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.798{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015343706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.798{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015343705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.798{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015343704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.797{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015343703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.796{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000015343702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.795{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000015343701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.792{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015343700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.792{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015343699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.792{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015343698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.791{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015343697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.791{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015343696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.790{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015343695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.790{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015343694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.789{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000015343693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.789{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000015343692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.788{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000015343691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.787{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015343690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.787{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015343689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.787{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000015343688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.786{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000015343687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.784{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000015343686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.784{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000015343685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.784{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000015343684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.783{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000015343683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.782{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000015343682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.782{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000015343681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.781{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000015343680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.780{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015343679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.779{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000015343678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.778{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000015343677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.778{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015343676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.778{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000015343675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.777{8B6011A9-51ED-6143-0C00-00000000F001}8524728C:\Windows\system32\svchost.exe{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015343674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.776{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015343673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.776{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015343672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.775{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015343671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.775{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015343670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.773{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015343669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.771{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000015343668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.771{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015343667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.771{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015343666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.770{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015343665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.770{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015343664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.770{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015343663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.769{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015343662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.769{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015343661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.769{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015343660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.768{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015343659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.768{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015343658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.768{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015343657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.767{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015343656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.767{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015343655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.767{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015343654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.766{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015343653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.766{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 534500x800000000000000015343652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.766{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exe 734700x800000000000000015343651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.765{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015343650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.765{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015343649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.763{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015343648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.763{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015343647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.763{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015343646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.763{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015343645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.762{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015343644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.762{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015343643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.761{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015343642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.761{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015343641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.761{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015343640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.760{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000015343639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.759{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015343638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.759{8B6011A9-0C70-6156-E643-02000000F001}74801856C:\Windows\System32\WScript.exe{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015343637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.759{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs"C:\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\remcos.vbs" 734700x800000000000000015343636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.755{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000015343635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.755{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000015343634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.750{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000015343621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.740{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000015343620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.738{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000015343619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.737{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000015343618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.736{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000015343617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.736{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000015343616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.736{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000015343615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.735{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000015343614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.735{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000015343582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.488{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000015343581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.488{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000015343580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.487{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000015343567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.366{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000015343566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.355{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015343565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.355{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015343564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.355{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015343563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.355{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015343562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.355{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000015343561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.354{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000015343560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.354{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000015343559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.353{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000015343558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.353{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000015343557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.353{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015343556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.353{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000015343555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.353{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015343554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.353{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000015343553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.353{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000015343552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.353{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015343551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.353{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000015343550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.353{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000015343549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.353{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015343548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.353{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000015343547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.353{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015343546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.352{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000015343545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.352{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000015343544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.351{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000015343543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.351{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000015343542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.338{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000015343541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.338{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000015343540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.328{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000015343539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.327{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000015343538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.327{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.327{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.327{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.327{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.327{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.327{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.327{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000015343531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.325{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000015343530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.325{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000015343529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.323{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000015343528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.322{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000015343527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.322{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000015343525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.320{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000015343524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.320{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015343523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.320{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000015343522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.320{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000015343521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.320{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000015343520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.320{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000015343519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.320{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015343518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.320{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000015343517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.320{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000015343516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.320{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015343515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.320{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000015343514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.319{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015343513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.319{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015343512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.319{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000015343511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.319{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000015343510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.319{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000015343509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.318{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000015343508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.317{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000015343507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.317{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000015343506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.316{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000015343505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.314{8B6011A9-51EB-6143-0B00-00000000F001}6326824C:\Windows\system32\lsass.exe{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015343504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.314{8B6011A9-51EB-6143-0B00-00000000F001}6326824C:\Windows\system32\lsass.exe{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015343503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.314{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000015343502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.311{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000015343501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.310{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000015343500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.309{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000015343499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.309{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000015343498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.309{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000015343497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.308{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000015343496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.306{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000015343492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.305{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000015343487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.303{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000015343486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.303{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000015343485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.303{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000015343484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.302{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000015343483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.302{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000015343480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.302{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000015343479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.301{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000015343473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.301{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000015343472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.300{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000015343471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.300{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000015343470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.299{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015343469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.299{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000015343468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.298{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000015343467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.298{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000015343466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.297{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000015343464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.296{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000015343462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.295{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000015343461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.295{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000015343459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.295{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000015343456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.293{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000015343455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.293{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000015343454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.292{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000015343452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.291{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000015343443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.288{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 13241300x800000000000000015343442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:52.287{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b62f-0x4e3a2c88) 734700x800000000000000015343439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.287{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000015343438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.286{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015343437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:52.286{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000015343436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.285{8B6011A9-51ED-6143-0C00-00000000F001}8524728C:\Windows\system32\svchost.exe{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015343435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.284{8B6011A9-51ED-6143-1600-00000000F001}13243684C:\Windows\System32\svchost.exe{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015343434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.284{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015343433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.284{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000015343432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.283{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000015343431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.281{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000015343430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.280{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000015343429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.280{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000015343423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.280{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000015343422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.279{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000015343421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.279{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000015343420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.279{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000015343419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.278{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000015343418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.278{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000015343417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.278{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000015343416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.278{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000015343415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.278{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015343414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.277{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000015343413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.277{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000015343411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.276{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000015343408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.276{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000015343407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.275{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000015343404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.275{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015343400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.274{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015343399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.274{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000015343398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.271{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015343397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.270{8B6011A9-E3FA-6155-883E-02000000F001}63565600C:\Windows\explorer.exe{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015343396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:52.270{8B6011A9-0C70-6156-E643-02000000F001}7480C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\remcos.vbs" C:\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 734700x800000000000000015343932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.349{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000015343928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:53.346{8B6011A9-0C71-6156-E843-02000000F001}6248C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll 734700x800000000000000015343926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.346{8B6011A9-0C71-6156-E843-02000000F001}6248C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000015343877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.316{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000015343875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.314{8B6011A9-0C70-6156-E743-02000000F001}43929956C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C71-6156-E843-02000000F001}6248C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015343874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.315{8B6011A9-0C71-6156-E843-02000000F001}6248C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll"C:\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 734700x800000000000000015343873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.294{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msdart.dll10.0.14393.0 (rs1_release.160715-1616)OLE DB Runtime RoutinesMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdart.dllMD5=EE819BD4AC9B986F13574CD7F1384913,SHA256=E9997360FFACB4DDB4E9E5F6AFDCCDACF1FAACF2CC38A96108700183C27BA194trueMicrosoft WindowsValid 734700x800000000000000015343848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.310{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000015343847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:53.310{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000015343844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.293{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Program Files (x86)\Common Files\System\ado\msado15.dll10.0.14393.4169 (rs1_release.210107-1130)ActiveX Data ObjectsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsado15.dllMD5=0773E3F6B080C8BAB1C694136D9AB923,SHA256=4DAC725E8DD3700DB8474A6F9DD40A2DBF0472AEE01827E16EA88808FB3E6924trueMicrosoft WindowsValid 12241200x800000000000000015343819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:53.300{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015343818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:53.300{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015343817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.299{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000015343816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.297{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 11241100x800000000000000015343815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.296{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll2021-09-30 19:13:53.296 734700x800000000000000015343786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.270{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000015343785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.269{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000015343784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.267{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000015343783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.266{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000015343782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:53.265{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000015343781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:53.265{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000015343780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.265{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000015343779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:53.264{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 354300x800000000000000015343944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:14:09.398{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59503-false172.67.68.88-443https 22542200x800000000000000015343942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:14:10.472{8B6011A9-0C70-6156-E743-02000000F001}4392paste.ee0::ffff:172.67.68.88;::ffff:104.26.5.223;::ffff:104.26.4.223;C:\Windows\SysWOW64\wscript.exe 13241300x800000000000000015344053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:55.382{8B6011A9-0C73-6156-EA43-02000000F001}7432C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll 734700x800000000000000015344051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.381{8B6011A9-0C73-6156-EA43-02000000F001}7432C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000015344032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.367{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exe 734700x800000000000000015344019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.363{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015344016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.362{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015344014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.362{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015344013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.362{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015344012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.362{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015344011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.362{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015344009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.362{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015344008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.361{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015344006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.361{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015344005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.361{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015344004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.361{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015344003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.361{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015344002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.360{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015344000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.360{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015343999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.359{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015343998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.359{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015343996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.359{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015343994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.358{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015343993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.358{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015343991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.358{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015343987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.357{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015343986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.356{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015343984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.356{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015343982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.356{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015343980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.355{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015343979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.355{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015343976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.355{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015343974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.354{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015343973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.354{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015343972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.353{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 10341000x800000000000000015343970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.353{8B6011A9-0C70-6156-E743-02000000F001}4392352C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C73-6156-EA43-02000000F001}7432C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000015343969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.353{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 154100x800000000000000015343968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.353{8B6011A9-0C73-6156-EA43-02000000F001}7432C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll"C:\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 734700x800000000000000015343967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.352{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015343966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.351{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015343965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.351{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015343964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.350{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000015343963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:55.350{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000015343962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.350{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000015343961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:55.350{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015343960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.350{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015343959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.349{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015343958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.349{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015343957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.348{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015343956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.348{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015343955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.348{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015343954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.347{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015343953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.345{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015343952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.344{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005640169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000086584A0) 154100x800000000000000015343951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:55.344{8B6011A9-0C73-6156-E943-02000000F001}1608C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 13241300x800000000000000015344168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 19:13:57.460{8B6011A9-0C75-6156-EC43-02000000F001}8760C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll 734700x800000000000000015344166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.459{8B6011A9-0C75-6156-EC43-02000000F001}8760C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000015344148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.445{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exe 734700x800000000000000015344133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.441{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015344129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.440{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000015344128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.440{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000015344127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.440{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000015344125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.440{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000015344124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.440{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000015344123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.439{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000015344122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.439{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000015344121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.439{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000015344120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.438{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015344118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.438{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015344117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.438{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015344116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.437{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015344114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.437{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015344112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.437{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015344111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.436{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015344109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.436{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015344107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.435{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015344105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.435{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015344102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.434{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015344100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.434{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015344098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.433{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015344096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.433{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015344094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.433{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015344092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.432{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015344091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.432{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015344090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.431{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015344088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.431{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 10341000x800000000000000015344087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.431{8B6011A9-0C70-6156-E743-02000000F001}43929844C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C75-6156-EC43-02000000F001}8760C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015344086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.431{8B6011A9-0C75-6156-EC43-02000000F001}8760C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll"C:\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 734700x800000000000000015344085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.431{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015344084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.430{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015344083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.429{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015344082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.429{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015344081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.428{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015344080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.428{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015344079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.427{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000015344078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:57.427{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000015344077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 19:13:57.427{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000015344076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.427{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015344075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.427{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015344074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.426{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015344073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.426{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015344072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.425{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015344071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.425{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015344070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.425{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015344069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.422{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015344068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.422{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005A10169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000086584A0) 154100x800000000000000015344067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:57.422{8B6011A9-0C75-6156-EB43-02000000F001}4660C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 534500x800000000000000015344303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.535{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000015344301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.500{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+ca9c|C:\Windows\system32\winsrv.DLL+e3bc|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015344300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.500{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+e279|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015344299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.500{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015344298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.500{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000015344297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.499{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015344296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.499{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000015344294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.499{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015344293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.499{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000015344292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.498{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000015344291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.498{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015344290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.498{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015344289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.498{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015344288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.498{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000015344287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.498{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000015344286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.497{8B6011A9-0C77-6156-EF43-02000000F001}66087928C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015344285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.497{8B6011A9-0C77-6156-EF43-02000000F001}66087928C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015344284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.497{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015344283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.497{8B6011A9-0C77-6156-EF43-02000000F001}66087928C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015344282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.497{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000015344281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.497{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000015344280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.497{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 10341000x800000000000000015344278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.496{8B6011A9-0C77-6156-EF43-02000000F001}66087928C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015344277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.496{8B6011A9-0C77-6156-EF43-02000000F001}66087928C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015344276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.496{8B6011A9-0C77-6156-EF43-02000000F001}66087928C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x800000000000000015344274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.496{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000015344271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-30 19:13:59.495{8B6011A9-0C70-6156-E743-02000000F001}4392\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 10341000x800000000000000015344270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.495{8B6011A9-0C77-6156-EF43-02000000F001}66087928C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000015344269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.495{8B6011A9-0C77-6156-EF43-02000000F001}66087928C:\Windows\SysWOW64\WerFault.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x800000000000000015344268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.495{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000015344266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.494{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000015344264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.490{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015344262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.490{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000015344261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.490{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015344260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.490{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000015344258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.490{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015344257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.490{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015344256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.490{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000015344255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.489{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000015344253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.489{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015344252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.489{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000015344251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.489{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000015344250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.489{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000015344247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.488{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000015344246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.488{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000015344245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.488{8B6011A9-0C70-6156-E743-02000000F001}4392ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000015344240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.485{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015344239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.485{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015344238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.485{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000015344237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.485{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015344236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.485{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000015344234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.485{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000015344232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.485{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000015344219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.481{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000015344215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.479{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000015344213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.478{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 154100x800000000000000015344200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.475{8B6011A9-0C77-6156-EF43-02000000F001}6608C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8892 -s 80C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x800000000000000015344198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.472{8B6011A9-0BAB-6156-A843-02000000F001}75766092C:\Windows\System32\svchost.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015344197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.472{8B6011A9-0BAB-6156-A843-02000000F001}75766092C:\Windows\System32\svchost.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015344196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.472{8B6011A9-0BAB-6156-A843-02000000F001}75766092C:\Windows\System32\svchost.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015344195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.471{8B6011A9-0C77-6156-ED43-02000000F001}88928980C:\Windows\winhlp32.exe{8B6011A9-0C77-6156-EE43-02000000F001}8244C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|UNKNOWN(0000000076FDEF6C)|UNKNOWN(000000007705CF02)|UNKNOWN(000000007701F19A)|UNKNOWN(000000007701E602)|UNKNOWN(000000007701E24A)|UNKNOWN(00000000770167D2)|UNKNOWN(0000000076FD7FC0) 734700x800000000000000015344194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.466{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015344193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.466{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015344192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.465{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015344191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.465{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015344190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.465{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015344189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.464{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015344188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.464{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015344187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.463{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015344186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.463{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000015344185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.463{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000015344184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.461{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015344183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.460{8B6011A9-0C70-6156-E743-02000000F001}43928756C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005A80169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000086584A0) 154100x800000000000000015344182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:13:59.460{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-0C70-6156-E743-02000000F001}4392C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\remcos.vbs" 534500x800000000000000015344512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 19:14:02.709{8B6011A9-0C77-6156-ED43-02000000F001}8892C:\Windows\winhlp32.exe 734700x800000000000000015393364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:23:50.435{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000015393363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:23:50.434{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 354300x800000000000000015393373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:07.059{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local63672-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 534500x800000000000000015393735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.564{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exe 23542300x800000000000000015393734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.561{8B6011A9-1CE2-6156-DE45-02000000F001}8352ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\amybteowgxuctvtogrpj.vbsMD5=2FCC53839A07381C433BEBE1F3BD1B7F,SHA256=71F0A43E515536C7786776AEAEDB1087E4675D4E7EDC83B36BC89327CF2571DDfalsetrue 734700x800000000000000015393733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.560{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000015393732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.559{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000015393731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.558{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000015393730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.556{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000015393729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.555{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000015393728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.555{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000015393727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.554{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000015393726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.554{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000015393725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.554{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000015393724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.553{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000015393723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.553{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000015393722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.552{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000015393721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.552{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000015393720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 20:24:02.550{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000015393719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.550{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000015393718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.550{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000015393717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.549{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000015393716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.547{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000015393715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.546{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000015393714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.546{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000015393713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.546{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000015393712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.545{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000015393711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.544{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000015393710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.543{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000015393709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.543{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000015393708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.541{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000015393707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.541{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000015393706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 20:24:02.540{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000015393705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 20:24:02.540{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\WScript.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000015393704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.539{8B6011A9-51ED-6143-0C00-00000000F001}8529912C:\Windows\system32\svchost.exe{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015393703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.538{8B6011A9-51ED-6143-1600-00000000F001}13244520C:\Windows\System32\svchost.exe{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015393702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.538{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015393701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.538{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015393700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.537{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000015393699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.535{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000015393698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.534{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000015393697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.533{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000015393696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.533{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000015393695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.533{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000015393694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.532{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015393693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.532{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015393692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.532{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000015393691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.531{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000015393690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.531{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000015393689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.531{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000015393688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.530{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000015393687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.530{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000015393686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.530{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000015393685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.530{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000015393684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.529{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000015393683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.529{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000015393682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.529{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000015393681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.528{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000015393680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.527{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000015393679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.526{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000015393678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.526{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000015393677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.526{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015393676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.525{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 534500x800000000000000015393675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.525{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe 734700x800000000000000015393674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.525{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000015393673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.524{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000015393672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.524{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000015393671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.523{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000015393670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.523{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x800000000000000015393669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 20:24:02.523{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000015393668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 20:24:02.523{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 734700x800000000000000015393667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.523{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000015393666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.522{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015393665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.521{8B6011A9-B5D2-6155-2C38-02000000F001}92283688C:\Windows\winhlp32.exe{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000015393664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.521{8B6011A9-1CE2-6156-DE45-02000000F001}8352C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\2\amybteowgxuctvtogrpj.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 13241300x800000000000000015393663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 20:24:02.518{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015393662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 20:24:02.518{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000015393661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 20:24:02.518{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000015393660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 20:24:02.518{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000015393659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 20:24:02.517{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000015393658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 20:24:02.509{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList 734700x800000000000000015393657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.508{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 12241200x800000000000000015393656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 20:24:02.508{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\RegisteredApplications 12241200x800000000000000015393655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 20:24:02.508{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKLM\SOFTWARE\RegisteredApplications 13241300x800000000000000015393654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-30 20:24:02.508{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFileBinary Data 12241200x800000000000000015393653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 20:24:02.508{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids 12241200x800000000000000015393652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 20:24:02.507{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x800000000000000015393651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.505{8B6011A9-51ED-6143-0C00-00000000F001}8529912C:\Windows\system32\svchost.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015393650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.504{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000015393649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-30 20:24:02.503{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000015393648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.496{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000015393647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.494{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000015393646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.494{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000015393645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.494{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 10341000x800000000000000015393644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.493{8B6011A9-51ED-6143-1600-00000000F001}13244520C:\Windows\System32\svchost.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015393643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.493{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000015393642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.492{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000015393641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.491{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 11241100x800000000000000015393640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-30 20:24:02.490{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\amybteowgxuctvtogrpj.vbs2021-09-30 20:24:02.490 12241200x800000000000000015393639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-09-30 20:24:02.490{8B6011A9-B5D2-6155-2C38-02000000F001}9228C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000016058907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.978{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000016058882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.974{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000016058863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.986{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000016058862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.986{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000016058860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.970{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000016058836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.978{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 534500x800000000000000016058834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.963{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exe 734700x800000000000000016058833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.958{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000016058832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.958{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 734700x800000000000000016058822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.949{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 10341000x800000000000000016058821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.957{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000016058813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.956{8B6011A9-FA6A-6156-EB5F-02000000F001}51369884C:\Windows\System32\WScript.exe{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000016058809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.956{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" 12241200x800000000000000016058801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.947{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000016058800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.941{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000016058715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.843{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000016058714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.834{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000016058713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.831{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000016058712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.829{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000016058711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.828{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000016058710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.828{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000016058709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.828{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000016058708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.824{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000016058705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.574{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000016058704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.573{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000016058703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.572{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000016058702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.440{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000016058701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.426{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000016058700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.426{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000016058699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.426{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000016058698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.426{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000016058697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.426{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000016058696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.426{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000016058695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.425{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000016058694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.423{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000016058693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.423{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000016058692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.423{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000016058691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.423{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000016058690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.423{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000016058689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.423{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000016058688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.423{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000016058687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.423{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000016058686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.423{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000016058685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.423{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000016058684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.423{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000016058683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.423{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000016058682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.422{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000016058681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.422{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000016058680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.421{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000016058679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.421{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000016058678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.421{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000016058677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.403{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000016058676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.403{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000016058675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.389{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000016058674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.370{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000016058673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.369{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016058672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.369{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016058671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.369{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016058670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.369{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016058669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.369{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016058668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.369{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016058667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.369{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016058666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.367{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000016058665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.367{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000016058658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.355{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 13241300x800000000000000016058640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.359{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000016058639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.359{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000016058638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.358{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000016058636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.356{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000016058635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.356{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000016058634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.356{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000016058633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.356{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000016058632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.356{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000016058631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.356{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000016058630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.356{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000016058629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.356{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000016058628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.356{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 13241300x800000000000000016058626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.353{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000016058625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.353{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000016058624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.353{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000016058623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:14.353{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000016058622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.352{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000016058621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.352{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000016058620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.351{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000016058614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.343{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000016058594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.345{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000016058591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.341{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000016058590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.339{8B6011A9-51EB-6143-0B00-00000000F001}6329044C:\Windows\system32\lsass.exe{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016058589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.339{8B6011A9-51EB-6143-0B00-00000000F001}6329044C:\Windows\system32\lsass.exe{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000016058588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.338{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000016058587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.335{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000016058586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.332{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000016058585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.301{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000016058584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.301{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000016058583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.301{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000016058582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.301{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000016058581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.299{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000016058580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.284{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000016058579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.280{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000016058578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.280{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000016058577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.280{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000016058576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.280{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000016058575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.279{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000016058574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.279{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000016058573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.279{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000016058572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.279{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000016058571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.278{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000016058570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.274{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000016058569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.273{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000016058568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.273{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000016058567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.272{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000016058566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.272{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000016058565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.272{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000016058564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.270{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000016058563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.268{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000016058562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.267{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000016058561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.267{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000016058560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.265{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000016058559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.265{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000016058558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.259{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000016058557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.259{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000016058556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.257{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000016058555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.257{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000016058554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.256{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000016058553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:14.256{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000016058552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.255{8B6011A9-51ED-6143-0C00-00000000F001}8524432C:\Windows\system32\svchost.exe{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016058551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.254{8B6011A9-51ED-6143-1600-00000000F001}13246892C:\Windows\System32\svchost.exe{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016058550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.254{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000016058549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.254{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000016058548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.253{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000016058547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.251{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000016058546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.250{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000016058545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.250{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000016058544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.249{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000016058543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.249{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000016058542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.249{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000016058541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.249{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000016058540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.248{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000016058539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.248{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000016058538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.248{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000016058537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.248{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000016058536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.248{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000016058535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.247{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000016058534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.247{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000016058533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.247{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000016058532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.246{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000016058531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.245{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000016058530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.245{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000016058529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.244{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000016058528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.244{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000016058527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.243{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000016058526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.243{8B6011A9-B0F1-6155-7237-02000000F001}12522536C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\shell32.dll+3cd3f|C:\Windows\System32\shell32.dll+3cbcc|C:\Windows\System32\shell32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.dll+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000016058525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.241{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\temp\remcos.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-B0F1-6155-7237-02000000F001}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 734700x800000000000000016060190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.995{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000016060189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.986{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000016060188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.982{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000016060187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.981{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000016060186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.980{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000016060185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.980{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000016060184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.979{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000016060183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.974{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 734700x800000000000000016060180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.683{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000016060179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.682{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000016060178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.681{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000016060172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.495{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000016060147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.494{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x800000000000000016060122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.491{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000016060095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.485{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000016060070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.482{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000016060045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.468{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000016060025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.565{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 734700x800000000000000016060016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.439{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 13241300x800000000000000016059998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:15.552{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000016059997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:15.552{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000016059996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:15.552{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000016059995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:15.552{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000016059994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.551{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000016059993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.549{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000016059992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.549{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000016059991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.549{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000016059990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.549{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000016059989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.549{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000016059988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.549{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000016059987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.549{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000016059986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.549{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000016059985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.549{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000016059984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.549{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000016059983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.548{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000016059982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.548{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000016059981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.548{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000016059980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.548{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000016059979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.547{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000016059978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.544{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000016059977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.542{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 734700x800000000000000016059956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.422{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000016059942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.422{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000016059920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.421{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 12241200x800000000000000016059900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.524{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000016059899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.524{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000016059896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.511{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000016059889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.386{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000016059871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.509{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000016059870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.508{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016059869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.508{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016059868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.508{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016059866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.508{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016059865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.508{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016059864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.508{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016059863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.508{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000016059861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.385{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 12241200x800000000000000016059838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.505{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000016059837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.505{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000016059827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.381{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 13241300x800000000000000016059811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:15.498{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000016059810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:15.498{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000016059809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:15.497{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000016059807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.495{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 13241300x800000000000000016059806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:15.495{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000016059805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.495{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000016059804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.495{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000016059803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:15.495{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000016059802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.495{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000016059801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.495{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000016059800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.495{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000016059794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.379{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 13241300x800000000000000016059778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:15.493{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000016059777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:15.493{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000016059772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:15.493{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000016059771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:15.493{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000016059770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.492{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000016059769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.491{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000016059762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.376{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000016059743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.483{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 10341000x800000000000000016059742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.476{8B6011A9-51EB-6143-0B00-00000000F001}6329044C:\Windows\system32\lsass.exe{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016059741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.476{8B6011A9-51EB-6143-0B00-00000000F001}6329044C:\Windows\system32\lsass.exe{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000016059740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.472{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000016059735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.333{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000016059709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.331{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000016059689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.407{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000016059688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.391{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000016059677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.167{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000016059652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.164{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000016059627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.159{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000016059602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.158{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000016059577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.136{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000016059554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.131{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000016059522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.129{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000016059517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.174{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000016059509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.172{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000016059508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.169{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000016059507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.167{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000016059506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.166{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000016059496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.110{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000016059479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.161{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000016059475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.106{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000016059445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.102{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000016059419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.100{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000016059402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.146{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000016059391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.099{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000016059376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.143{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000016059375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.142{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000016059369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.091{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000016059337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.070{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000016059327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.118{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000016059323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.113{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000016059322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:15.113{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000016059321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.112{8B6011A9-51ED-6143-0C00-00000000F001}8524432C:\Windows\system32\svchost.exe{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016059319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.110{8B6011A9-51ED-6143-1600-00000000F001}13248564C:\Windows\System32\svchost.exe{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016059318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.110{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000016059311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.062{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000016059288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.058{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000016059262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.053{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000016059242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.041{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000016059211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.040{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000016059187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.039{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000016059157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.028{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000016059132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.025{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000016059107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.024{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000016059087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.022{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000016059055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.016{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000016059031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.012{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000016059008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.006{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000016058982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:15.001{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000016058958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.987{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000016058935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.986{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000016058931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:14.987{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 22542200x800000000000000016060490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:34.014{8B6011A9-FA6A-6156-ED5F-02000000F001}9556paste.ee0::ffff:104.26.4.223;::ffff:104.26.5.223;::ffff:172.67.68.88;C:\Windows\SysWOW64\wscript.exe 22542200x800000000000000016060489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:32.891{8B6011A9-FA6A-6156-EB5F-02000000F001}5136paste.ee0::ffff:104.26.4.223;::ffff:104.26.5.223;::ffff:172.67.68.88;C:\Windows\System32\wscript.exe 354300x800000000000000016060488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:32.940{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local52662-false104.26.4.223-443https 354300x800000000000000016060383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:31.819{8B6011A9-FA6A-6156-EB5F-02000000F001}5136C:\Windows\System32\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local52661-false104.26.4.223-443https 734700x800000000000000016060382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:16.165{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000016060378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:16.162{8B6011A9-FA6C-6156-EE5F-02000000F001}9912C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000016060376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:16.161{8B6011A9-FA6C-6156-EE5F-02000000F001}9912C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000016060255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:16.064{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000016060253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:16.058{8B6011A9-FA6A-6156-ED5F-02000000F001}95565372C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-FA6C-6156-EE5F-02000000F001}9912C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000016060252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:16.058{8B6011A9-FA6C-6156-EE5F-02000000F001}9912C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000016060251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:16.054{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000016060250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:16.051{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000016060249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:16.041{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000016060248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:16.041{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000016060247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:16.040{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000016060240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:16.026{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 534500x800000000000000016061205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.350{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe 10341000x800000000000000016061203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.347{8B6011A9-FA6E-6156-F65F-02000000F001}76644252C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016061201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.345{8B6011A9-FA6E-6156-F65F-02000000F001}76644252C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016061200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.345{8B6011A9-FA6E-6156-F65F-02000000F001}76644252C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016061199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.345{8B6011A9-FA6E-6156-F65F-02000000F001}76644252C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016061195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.344{8B6011A9-FA6E-6156-F65F-02000000F001}76644252C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016061194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.344{8B6011A9-FA6E-6156-F65F-02000000F001}76644252C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000016061084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.327{8B6011A9-FA6E-6156-F65F-02000000F001}7664C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 60C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x800000000000000016061082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.324{8B6011A9-FA6E-6156-F25F-02000000F001}37164420C:\Windows\System32\svchost.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016061081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.324{8B6011A9-FA6E-6156-F25F-02000000F001}37164420C:\Windows\System32\svchost.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016061080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.324{8B6011A9-FA6E-6156-F25F-02000000F001}37164420C:\Windows\System32\svchost.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016061079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.324{8B6011A9-FA6E-6156-F25F-02000000F001}37164420C:\Windows\System32\svchost.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1441C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+7050|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016061076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.321{8B6011A9-FA6E-6156-F55F-02000000F001}72407100C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016061075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.321{8B6011A9-FA6E-6156-F55F-02000000F001}72407100C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016061074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.321{8B6011A9-FA6E-6156-F55F-02000000F001}72407100C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016061057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.320{8B6011A9-FA6E-6156-F55F-02000000F001}72407100C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016061048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.320{8B6011A9-FA6E-6156-F55F-02000000F001}72407100C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016061047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.320{8B6011A9-FA6E-6156-F55F-02000000F001}72407100C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016061042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.319{8B6011A9-FA6E-6156-F55F-02000000F001}72407100C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016061041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.319{8B6011A9-FA6E-6156-F55F-02000000F001}72407100C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000016060955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.302{8B6011A9-FA6E-6156-F55F-02000000F001}7240C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 76C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x800000000000000016060929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.299{8B6011A9-FA6E-6156-F25F-02000000F001}37164420C:\Windows\System32\svchost.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016060928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.299{8B6011A9-FA6E-6156-F25F-02000000F001}37164420C:\Windows\System32\svchost.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016060927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.299{8B6011A9-FA6E-6156-F25F-02000000F001}37164420C:\Windows\System32\svchost.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016060926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.298{8B6011A9-FA6E-6156-EF5F-02000000F001}13404376C:\Windows\winhlp32.exe{8B6011A9-FA6E-6156-F45F-02000000F001}9144C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|UNKNOWN(0000000076FDEF6C)|UNKNOWN(000000007705CF02)|UNKNOWN(000000007701F19A)|UNKNOWN(000000007701E602)|UNKNOWN(000000007701E24A)|UNKNOWN(000000007700CB10)|UNKNOWN(0000000076FD01C2)|UNKNOWN(0000000076FE0DBF)|UNKNOWN(000000007701535F)|UNKNOWN(00000000770164EA)|UNKNOWN(0000000076FD8285)|UNKNOWN(0000000076FD7FC0) 10341000x800000000000000016060899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.291{8B6011A9-FA6E-6156-F35F-02000000F001}31409152C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016060897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.291{8B6011A9-FA6E-6156-F35F-02000000F001}31409152C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016060896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.291{8B6011A9-FA6E-6156-F35F-02000000F001}31409152C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016060887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.290{8B6011A9-FA6E-6156-F35F-02000000F001}31409152C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016060878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.290{8B6011A9-FA6E-6156-F35F-02000000F001}31409152C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016060873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.290{8B6011A9-FA6E-6156-F35F-02000000F001}31409152C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016060864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.289{8B6011A9-FA6E-6156-F35F-02000000F001}31409152C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000016060863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.289{8B6011A9-FA6E-6156-F35F-02000000F001}31409152C:\Windows\SysWOW64\WerFault.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000016060700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.233{8B6011A9-FA6E-6156-F35F-02000000F001}3140C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 84C:\Windows\system32\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x800000000000000016060669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.225{8B6011A9-FA6E-6156-F25F-02000000F001}37164420C:\Windows\System32\svchost.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016060668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.225{8B6011A9-FA6E-6156-F25F-02000000F001}37164420C:\Windows\System32\svchost.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016060667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.223{8B6011A9-FA6E-6156-F25F-02000000F001}37164420C:\Windows\System32\svchost.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000016060603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:18.195{8B6011A9-FA6E-6156-F05F-02000000F001}5244C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000016060600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.195{8B6011A9-FA6E-6156-F05F-02000000F001}5244C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 10341000x800000000000000016060519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.171{8B6011A9-FA6E-6156-EF5F-02000000F001}13404376C:\Windows\winhlp32.exe{8B6011A9-FA6E-6156-F15F-02000000F001}5760C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|UNKNOWN(0000000076FDEF6C)|UNKNOWN(000000007705CF02)|UNKNOWN(000000007701F19A)|UNKNOWN(000000007701E602)|UNKNOWN(000000007701E24A)|UNKNOWN(00000000770167D2)|UNKNOWN(0000000076FD7FC0) 10341000x800000000000000016060514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.169{8B6011A9-FA6A-6156-ED5F-02000000F001}95569720C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-FA6E-6156-F05F-02000000F001}5244C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000016060513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.169{8B6011A9-FA6E-6156-F05F-02000000F001}5244C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000016060512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.166{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000016060511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:18.166{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000016060510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:18.166{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000016060509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.166{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000016060508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.165{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000016060507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.165{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000016060506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.165{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000016060505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.164{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000016060504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.164{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000016060503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.164{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000016060502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.163{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000016060501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.163{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000016060500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.161{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000016060499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.161{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000056F0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000E407B0) 154100x800000000000000016060498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:18.161{8B6011A9-FA6E-6156-EF5F-02000000F001}1340C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000016061913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.511{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000016061893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.510{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000016061887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.246{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000016061860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.245{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 734700x800000000000000016061832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.241{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000016061805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.237{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000016061708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.259{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000016061707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.257{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000016061706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.257{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000016061698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.224{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000016061694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.224{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000016061690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.224{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 12241200x800000000000000016061678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:20.246{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016061677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:20.246{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016061676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:20.246{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016061675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:20.246{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016061673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:20.244{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016061672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:20.244{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000016061671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:20.244{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000016061667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.244{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 13241300x800000000000000016061666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:20.244{8B6011A9-FA70-6156-F85F-02000000F001}8888C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000016061664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.243{8B6011A9-FA70-6156-F85F-02000000F001}8888C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000016061659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.243{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000016061649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.221{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000016061647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.243{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000016061634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.240{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000016061632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.239{8B6011A9-51EB-6143-0B00-00000000F001}6329044C:\Windows\system32\lsass.exe{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016061631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.239{8B6011A9-51EB-6143-0B00-00000000F001}6329044C:\Windows\system32\lsass.exe{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000016061630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:20.238{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000016061629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:20.238{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000016061628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 12:09:20.238{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000016061626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:20.238{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000016061599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.234{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000016061598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.233{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000016061568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.221{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000016061567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.220{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000016061566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.220{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000016061565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.220{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000016061564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.220{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000016061563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.219{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000016061562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.219{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000016061561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.219{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000016061559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.219{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000016061557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.219{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000016061556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.218{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000016061554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.218{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000016061552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.218{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000016061550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.217{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000016061548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.217{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000016061545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.216{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000016061543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.216{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000016061542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.216{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000016061540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.215{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000016061538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.215{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000016061536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.215{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000016061535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.214{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000016061534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.214{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000016061532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.214{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 10341000x800000000000000016061531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.214{8B6011A9-FA6A-6156-ED5F-02000000F001}95567392C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-FA70-6156-F85F-02000000F001}8888C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000016061530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.214{8B6011A9-FA70-6156-F85F-02000000F001}8888C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 734700x800000000000000016061529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.213{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000016061528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.213{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000016061527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.212{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000016061526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.212{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000016061525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.211{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000016061524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:20.211{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000016061523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.211{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000016061522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 12:09:20.211{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000016061521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.210{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000016061520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.210{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000016061519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.210{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000016061518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.209{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000016061517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.209{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000016061516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.209{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000016061515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.208{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000016061514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.208{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000016061513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.206{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000016061512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.205{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005800169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000E40960) 154100x800000000000000016061511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:20.205{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 354300x800000000000000016061927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:37.930{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local52665-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 534500x800000000000000016062045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.346{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000016062044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.321{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000016062043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.320{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000016062042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.320{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000016062041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.320{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000016062040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.320{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000016062039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.320{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000016062038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.320{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000016062037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.320{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000016062036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.319{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000016062035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.319{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000016062034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.319{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000016062033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.319{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000016062032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.319{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000016062031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.318{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000016062030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.318{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000016062029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.318{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000016062028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.317{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000016062027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-10-01 12:09:22.317{8B6011A9-FA6A-6156-ED5F-02000000F001}9556\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000016062026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.316{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000016062025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.309{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 734700x800000000000000016062023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.302{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 10341000x800000000000000016062000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.304{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000016061999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.304{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000016061998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.304{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000016061997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.304{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000016061996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.303{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000016061995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.303{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000016061994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.303{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000016061993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.303{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000016061992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.303{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000016061991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.303{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000016061990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.303{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000016061989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.303{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 11241100x800000000000000016061987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.300{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000016061986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.300{8B6011A9-FA6A-6156-ED5F-02000000F001}9556ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000016061985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.297{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000016061984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.297{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000016061983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.297{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000016061982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.297{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000016061981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.297{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000016061980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.297{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000016061979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.297{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000016061978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.293{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000016061977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.290{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000016061976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.289{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000016061975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.278{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exe 734700x800000000000000016061974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.274{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000016061973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.273{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000016061972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.273{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000016061971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.273{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000016061970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.272{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000016061969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.272{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000016061968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.272{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000016061967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.272{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000016061966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.272{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000016061965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.272{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000016061964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.271{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000016061963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.271{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000016061962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.271{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000016061961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.270{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000016061960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.270{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000016061959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.270{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000016061958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.270{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000016061957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.269{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000016061956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.269{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000016061955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.269{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000016061954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.268{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000016061953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.268{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000016061952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.268{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000016061951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.267{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000016061950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.267{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000016061949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.267{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000016061948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.267{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000016061947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.266{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000016061946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.266{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000016061945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.266{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000016061944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.265{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000016061943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.264{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000016061942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.264{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000016061941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.263{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000016061940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.263{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000016061939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.263{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000016061938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.262{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000016061937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.262{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000016061936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.262{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000016061935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.261{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000016061934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.261{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000016061933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.261{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000016061932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.261{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000016061931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.258{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000016061930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.258{8B6011A9-FA6A-6156-ED5F-02000000F001}95561964C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005A10169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000081129D8) 154100x800000000000000016061929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:22.258{8B6011A9-FA72-6156-F95F-02000000F001}7472C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-FA6A-6156-ED5F-02000000F001}9556C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\temp\remcos.vbs" 22542200x800000000000000016061928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:09:38.762{8B6011A9-FA70-6156-F75F-02000000F001}6804snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 11241100x800000000000000016096261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 12:42:27.894{8B6011A9-E3FA-6155-883E-02000000F001}6356C:\Windows\explorer.exeC:\Users\Administrator\Desktop\recmos stuff\dynwrapx.dll2021-10-01 12:42:27.893 10341000x800000000000000016158855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 14:05:01.376{8B6011A9-51ED-6143-0C00-00000000F001}8524536C:\Windows\system32\svchost.exe{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016158737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 14:05:01.370{8B6011A9-51ED-6143-0C00-00000000F001}8524536C:\Windows\system32\svchost.exe{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000016563814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:39:10.196{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local58861-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 734700x800000000000000016565547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.952{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000016565527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.995{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000016565526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.987{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000016565524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.934{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000016565499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.967{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 734700x800000000000000016565493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.926{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 12241200x800000000000000016565474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 23:40:19.962{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000016565473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 23:40:19.962{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\WScript.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000016565472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.961{8B6011A9-51ED-6143-0C00-00000000F001}8523888C:\Windows\system32\svchost.exe{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016565471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.960{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016565470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.960{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000016565469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.960{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000016565460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.915{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000016565442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.952{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000016565436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.913{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000016565410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.912{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000016565380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.900{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000016565359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.896{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000016565340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.926{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000016565339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.926{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000016565332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.896{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000016565307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.894{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000016565280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.887{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000016565254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.885{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000016565229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.879{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000016565203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.874{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000016565180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.857{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000016565158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.855{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000016565154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.858{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000016565132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.850{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000016565103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.846{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000016565085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.856{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000016565084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.856{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000016565077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.842{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000016565058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.850{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000016565050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.830{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 534500x800000000000000016565031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.834{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exe 12241200x800000000000000016565029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 23:40:19.830{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000016565027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 23:40:19.830{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 734700x800000000000000016565026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.830{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000016565025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.828{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000016565024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.828{8B6011A9-FA70-6156-F75F-02000000F001}68045592C:\Windows\winhlp32.exe{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000016565023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.826{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\2\tkwfgfcsudkysuchqsfhnrlrssureiqnwz.vbs" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 734700x800000000000000016565020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.808{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 13241300x800000000000000016564996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 23:40:19.820{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000016564995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 23:40:19.820{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000016564994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 23:40:19.820{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000016564993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 23:40:19.820{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000016564992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 23:40:19.819{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000016564991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 23:40:19.809{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList 734700x800000000000000016564983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.775{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000016564959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.769{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 12241200x800000000000000016564940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 23:40:19.791{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\RegisteredApplications 12241200x800000000000000016564939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 23:40:19.791{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKLM\SOFTWARE\RegisteredApplications 13241300x800000000000000016564938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-10-01 23:40:19.790{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFileBinary Data 12241200x800000000000000016564937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 23:40:19.790{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids 12241200x800000000000000016564936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 23:40:19.790{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x800000000000000016564935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.788{8B6011A9-51ED-6143-0C00-00000000F001}8523888C:\Windows\system32\svchost.exe{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000016564923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.765{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000016564914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.785{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000016564908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 23:40:19.782{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000016564900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.760{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000016564875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.747{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000016564844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.742{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 10341000x800000000000000016564706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.747{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016564705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.747{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000016564703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.734{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tkwfgfcsudkysuchqsfhnrlrssureiqnwz.vbs2021-10-01 23:40:19.734 12241200x800000000000000016564702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-10-01 23:40:19.734{8B6011A9-FA70-6156-F75F-02000000F001}6804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000016566222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.261{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000016566196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.259{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000016566169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.256{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000016566140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.252{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000016566116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.251{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000016566090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.247{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000016566064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.244{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000016566034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.242{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000016566011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.199{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000016565987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.197{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 534500x800000000000000016565969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.266{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exe 23542300x800000000000000016565968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.263{8B6011A9-9C63-6157-1573-02000000F001}1608ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tkwfgfcsudkysuchqsfhnrlrssureiqnwz.vbsMD5=2FCC53839A07381C433BEBE1F3BD1B7F,SHA256=71F0A43E515536C7786776AEAEDB1087E4675D4E7EDC83B36BC89327CF2571DDfalsetrue 734700x800000000000000016565954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.031{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000016565928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.027{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000016565903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.024{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 734700x800000000000000016565876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.021{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000016565851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.020{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000016565827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.017{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000016565803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.012{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000016565776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.009{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000016565753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:20.008{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000016565727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.993{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000016565701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.992{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000016565670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.986{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000016565650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.984{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 12241200x800000000000000016565628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-01 23:40:20.022{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000016565625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.959{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000016565595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.955{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000016565571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-01 23:40:19.953{8B6011A9-9C63-6157-1573-02000000F001}1608C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid