734700x800000000000000014033372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.957{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014033345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.955{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014033325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.954{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014033295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.702{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014033269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.696{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014033251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.837{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 734700x800000000000000014033246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.694{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 11241100x800000000000000014033224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.824{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA272021-09-29 18:56:29.824 11241100x800000000000000014033222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.824{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA272021-09-29 18:56:29.824 734700x800000000000000014033216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.679{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014033187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.670{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 734700x800000000000000014033165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.665{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014033135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.663{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014033108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.662{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014033061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.762{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6trueMicrosoft WindowsValid 734700x800000000000000014033060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.761{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid 734700x800000000000000014033059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.761{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValid 13241300x800000000000000014033056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.757{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014033055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.757{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014033054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.757{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014033053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.757{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014033052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.757{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014033051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.757{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014033050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.755{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014033049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.755{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014033048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.755{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014033047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.755{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014033046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.755{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014033045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.755{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014033044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014033043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014033042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014033041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014033040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014033039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014033038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014033037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.754{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014033036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.753{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014033035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.753{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014033034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.752{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014033033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.752{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014033032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.734{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014033031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.734{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014033028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.719{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014033027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.719{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014033026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.719{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.719{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.719{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.719{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.718{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.718{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.718{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.716{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014033018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.716{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014033017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.714{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014033016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.714{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014033015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.714{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014033013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014033012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014033011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014033010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014033009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014033008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014033007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014033006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014033005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.712{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014033004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.711{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014033003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.711{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014033002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.711{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000014033001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.711{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 12241200x800000000000000014033000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.711{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014032999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.710{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000014032998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.710{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014032997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.709{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014032996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.709{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014032995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.709{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014032994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.708{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014032993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.702{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014032992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.702{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014032991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.698{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014032990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.697{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014032989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.697{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014032988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.697{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014032987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.697{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014032986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.675{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014032985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.674{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014032984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.674{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014032983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.674{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014032982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.674{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014032981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.673{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014032980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.671{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014032979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.671{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014032978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.670{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 12241200x800000000000000014032977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.669{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014032976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.668{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014032975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.668{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014032974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.668{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014032973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.667{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014032972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.665{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014032971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.665{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014032970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.665{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014032969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.650{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014032968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.644{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014032967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.643{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014032966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.642{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014032956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.636{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014032955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:29.635{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014032954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.635{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014032952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.633{8B6011A9-51ED-6143-1600-00000000F001}13247708C:\Windows\System32\svchost.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014032951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.633{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014032949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.632{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014032942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.632{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014032919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.628{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000014032913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.627{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014032912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.627{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014032911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.627{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014032910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.626{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014032909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.626{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014032907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.625{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014032906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.625{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014032905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.625{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014032889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.624{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014032880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.624{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014032878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.624{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014032837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.611{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014032836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.611{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014032835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.611{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014032834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.610{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014032833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.609{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014032832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.609{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014032823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.601{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 13241300x800000000000000014032815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.598{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b563-0xb652b5ad) 734700x800000000000000014032810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.586{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 13241300x800000000000000014032777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.588{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList\a{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exe 13241300x800000000000000014032774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.587{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7E6AC0D5-FA09-4FAD-95E2-42C58DFAC111}\AppId{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exe 10341000x800000000000000014032766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.584{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014032765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.584{8B6011A9-EF7D-6151-C8C2-01000000F001}86488956C:\Windows\explorer.exe{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014032764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:29.579{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 13241300x800000000000000014032753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.567{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\WScript.exe.ApplicationCompanyMicrosoft Corporation 13241300x800000000000000014032752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:29.567{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\WScript.exe.FriendlyAppNameMicrosoft ® Windows Based Script Host 734700x800000000000000014035156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.527{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014035131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.526{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 734700x800000000000000014035103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.511{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 13241300x800000000000000014035084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.984{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM\Log File Max Size65536 12241200x800000000000000014035083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.983{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014035082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.983{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014035074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.496{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014035047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.494{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014035021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.490{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014034992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.480{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014034966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.480{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 734700x800000000000000014034943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.478{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x800000000000000014034918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.477{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014034893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.477{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014034866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.477{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014034839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.476{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014034815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.468{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014034788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.466{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014034765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.466{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014034736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.466{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014034712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.466{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014034685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.464{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014034659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.449{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014034630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.442{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014034605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.442{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014034583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.441{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014034556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.441{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014034532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.441{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014034507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.440{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014034484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.440{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014034456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.439{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014034431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.437{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014034405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.434{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 734700x800000000000000014034377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.432{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014034352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.431{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014034327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.428{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014034302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.427{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014034278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.427{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014034247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.427{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014034228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.426{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014034200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.425{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014034173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.412{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014034147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.409{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014034121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.408{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014034095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.408{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014034071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.408{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 13241300x800000000000000014034066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.534{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014034061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.534{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014034056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.534{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014034051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.534{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x800000000000000014034048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014034047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014034046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014034045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014034044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014034043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014034042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014034041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014034040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014034039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014034038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014034037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.531{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014034036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.530{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014034030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.408{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014034007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.407{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014033980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.407{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 12241200x800000000000000014033961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.511{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014033953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.407{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014033927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.406{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 12241200x800000000000000014033909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.494{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.493{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.493{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.493{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.493{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.493{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014033903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.493{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014033901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.406{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 12241200x800000000000000014033898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.490{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014033871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.406{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 13241300x800000000000000014033851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.484{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014033850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.484{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014033849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.483{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000014033847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.405{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 13241300x800000000000000014033822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014033821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014033820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014033819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014033818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014033817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014033816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.481{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014033815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.480{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014033814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.480{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014033813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.480{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014033812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:30.480{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014033811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.478{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014033810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.478{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014033803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.405{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 10341000x800000000000000014033797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.474{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014033793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.474{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014033781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.469{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014033777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.405{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014033751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.404{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014033729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.403{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014033696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.402{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014033680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.401{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014033679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.403{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 12241200x800000000000000014033655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.432{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014033649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.400{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014033629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.427{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014033623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.400{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014033594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.399{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014033587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.419{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014033577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.419{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014033576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.416{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014033575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.416{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014033574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.415{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014033573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.415{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014033572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.415{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014033571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.414{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014033570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.414{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014033569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.414{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014033568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.410{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014033567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.410{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014033566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.409{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 534500x800000000000000014033564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.406{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exe 734700x800000000000000014033556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.399{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 734700x800000000000000014033538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.401{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014033537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.401{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014033536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.401{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014033533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.399{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000014033532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.398{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014033531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.396{8B6011A9-B6DD-6154-C516-02000000F001}37006448C:\Windows\System32\WScript.exe{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014033530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.393{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014033525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.386{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014033502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.384{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014033501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.379{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014033416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.250{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014033415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.240{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014033408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.229{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014033391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.237{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014033388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.235{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014033387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.234{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014033386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:30.233{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014033385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.233{8B6011A9-B6DD-6154-C516-02000000F001}3700C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 22542200x800000000000000014035901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:46.853{8B6011A9-B6DE-6154-C716-02000000F001}4640paste.ee0::ffff:104.26.4.223;::ffff:104.26.5.223;::ffff:172.67.68.88;C:\Windows\SysWOW64\wscript.exe 734700x800000000000000014035897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.175{8B6011A9-B6DF-6154-C816-02000000F001}9136C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014035896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.180{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014035782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:31.176{8B6011A9-B6DF-6154-C816-02000000F001}9136C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014035714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.107{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000014035685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.094{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 734700x800000000000000014035656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.079{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014035595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.062{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msdart.dll10.0.14393.0 (rs1_release.160715-1616)OLE DB Runtime RoutinesMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdart.dllMD5=EE819BD4AC9B986F13574CD7F1384913,SHA256=E9997360FFACB4DDB4E9E5F6AFDCCDACF1FAACF2CC38A96108700183C27BA194trueMicrosoft WindowsValid 10341000x800000000000000014035571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.099{8B6011A9-B6DE-6154-C716-02000000F001}46408096C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B6DF-6154-C816-02000000F001}9136C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014035570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.099{8B6011A9-B6DF-6154-C816-02000000F001}9136C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014035565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.058{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Program Files (x86)\Common Files\System\ado\msado15.dll10.0.14393.4169 (rs1_release.210107-1130)ActiveX Data ObjectsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsado15.dllMD5=0773E3F6B080C8BAB1C694136D9AB923,SHA256=4DAC725E8DD3700DB8474A6F9DD40A2DBF0472AEE01827E16EA88808FB3E6924trueMicrosoft WindowsValid 12241200x800000000000000014035544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:31.092{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014035541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.013{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 12241200x800000000000000014035516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:31.080{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014035515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:31.080{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014035507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.996{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014035482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.991{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014035461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.065{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 11241100x800000000000000014035460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:31.063{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll2021-09-29 18:56:31.063 734700x800000000000000014035452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.987{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 734700x800000000000000014035424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.983{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014035397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.971{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 734700x800000000000000014035372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.670{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014035338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.670{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014035303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.668{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014035261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.550{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 734700x800000000000000014035236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.533{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 734700x800000000000000014035208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.530{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014035181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:30.529{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 354300x800000000000000014035990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:45.781{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local61923-false104.26.4.223-443https 734700x800000000000000014036399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.257{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014036370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.256{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 734700x800000000000000014036343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.254{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014036318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.250{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014036290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.245{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014036265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.229{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014036261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.230{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014036234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.228{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014036215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.271{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014036214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.270{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014036213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.269{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014036206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.216{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014036185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.258{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014036184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.257{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014036183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.257{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014036182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.257{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014036180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.216{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014036177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.216{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000014036154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.255{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014036153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.255{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014036152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.255{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014036151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.255{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014036150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.255{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014036149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.254{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014036148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.252{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014036147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.251{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014036146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.251{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014036145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:33.251{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014036144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.251{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014036143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:33.251{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014036142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.250{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014036133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.214{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 13241300x800000000000000014036112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:33.247{8B6011A9-B6E1-6154-CA16-02000000F001}7640C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014036110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.246{8B6011A9-B6E1-6154-CA16-02000000F001}7640C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014036109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.246{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014036073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.228{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014036072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.227{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014036071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.227{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014036070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.227{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014036069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.226{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014036066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.226{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014036065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.226{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014036064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.225{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014036057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.225{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014036047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.225{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014036037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.224{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014036034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.224{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014036033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.224{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014036031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.223{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014036030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.214{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 734700x800000000000000014036029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.223{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014036027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.222{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014036025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.222{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014036024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.222{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014036022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.221{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014036019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.221{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014036018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.220{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014036017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.220{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014036015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.220{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000014036014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.220{8B6011A9-B6DE-6154-C716-02000000F001}464010200C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B6E1-6154-CA16-02000000F001}7640C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014036013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.220{8B6011A9-B6E1-6154-CA16-02000000F001}7640C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014036012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.219{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014036011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.219{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014036010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.219{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014036009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.218{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014036008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.217{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014036007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.217{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014036006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.217{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014036005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:33.216{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014036004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.216{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014036003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.215{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014036002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.215{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014036000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.214{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 10341000x800000000000000014035998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.211{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014035997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.210{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005ED0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000087E6948) 154100x800000000000000014035996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:33.210{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 13241300x800000000000000014036511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:56:35.288{8B6011A9-B6E3-6154-CC16-02000000F001}8556C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014036509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.288{8B6011A9-B6E3-6154-CC16-02000000F001}8556C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014036491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.275{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exe 734700x800000000000000014036475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.270{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014036471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.270{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014036470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.269{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014036469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.269{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014036468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.269{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014036467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.269{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014036466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.269{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014036465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.269{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014036464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.268{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014036463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.268{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 22542200x800000000000000014036461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:49.629{8B6011A9-B6E1-6154-C916-02000000F001}6352snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 734700x800000000000000014036460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.268{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014036459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.267{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014036458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.267{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014036457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.267{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014036455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.267{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014036453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.267{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014036452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.266{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014036450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.266{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014036447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.266{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014036445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.265{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014036441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.264{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014036440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.264{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014036439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.264{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014036436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.263{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014036434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.263{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014036433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.263{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014036432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.262{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014036430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.262{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000014036429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.262{8B6011A9-B6DE-6154-C716-02000000F001}46408716C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B6E3-6154-CC16-02000000F001}8556C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014036428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.262{8B6011A9-B6E3-6154-CC16-02000000F001}8556C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014036427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.262{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014036426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.262{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014036425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.261{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014036424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.260{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014036423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.260{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014036422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.259{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014036421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:35.259{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014036420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:56:35.259{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014036419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.259{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014036418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.259{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014036417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.258{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014036416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.258{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014036415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.258{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014036414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.257{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014036413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.257{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014036412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.257{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014036411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.256{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014036410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.254{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014036409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.253{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000007460169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000087E68D0) 154100x800000000000000014036408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:35.253{8B6011A9-B6E3-6154-CB16-02000000F001}9912C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 534500x800000000000000014036749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.410{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe 734700x800000000000000014036747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.381{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 734700x800000000000000014036719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.378{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 10341000x800000000000000014036694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014036693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014036692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014036691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014036690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014036689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014036688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014036687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.384{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014036686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.383{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014036685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.383{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014036684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.383{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014036683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.383{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014036682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.382{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014036681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.382{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014036680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.382{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014036679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.381{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 18141800x800000000000000014036678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-29 18:56:37.379{8B6011A9-B6DE-6154-C716-02000000F001}4640\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014036670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.372{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 734700x800000000000000014036648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.364{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 10341000x800000000000000014036624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014036623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014036622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014036621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014036620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014036619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014036618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.367{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014036617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.365{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014036616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.365{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014036615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.365{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014036614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.365{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014036613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.365{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 11241100x800000000000000014036611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.362{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 10341000x800000000000000014036610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014036609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014036608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014036607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 734700x800000000000000014036606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.354{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 10341000x800000000000000014036605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014036604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014036603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.361{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014036600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.344{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 734700x800000000000000014036574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.348{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 534500x800000000000000014036571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.334{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exe 734700x800000000000000014036570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.329{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014036569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014036568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014036567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014036566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014036565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014036564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014036563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.328{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014036562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.327{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014036561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.327{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014036560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.326{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014036559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.326{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014036558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.326{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014036557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.326{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014036556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.325{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014036555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.325{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014036554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.325{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014036553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.324{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014036552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.324{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014036551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.324{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014036550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.323{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014036549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.323{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014036548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.323{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014036547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.322{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014036546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.322{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014036545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.322{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014036544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.322{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014036543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.321{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014036542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.321{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014036541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.321{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014036540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.320{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014036539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.319{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014036538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.319{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014036537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.318{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014036536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.318{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014036535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.318{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014036534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.317{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014036533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.317{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014036532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.317{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014036531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.317{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014036530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.316{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014036529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.316{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014036528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.316{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014036527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.313{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014036526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.312{8B6011A9-B6DE-6154-C716-02000000F001}46406056C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000075D0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000034291B8) 154100x800000000000000014036525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:56:37.313{8B6011A9-B6E5-6154-CD16-02000000F001}5948C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B6DE-6154-C716-02000000F001}4640C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014041484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.962{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014041432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.960{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014041405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.959{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014041376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.958{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x800000000000000014041347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.957{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 12241200x800000000000000014041315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.957{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014041314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.957{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014041313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.956{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014041312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.711{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014041311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.711{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014041310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.710{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014041301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.595{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 734700x800000000000000014041275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.578{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 734700x800000000000000014041249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.574{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014041222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.573{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014041203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.571{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 13241300x800000000000000014041179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.579{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.579{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.579{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.579{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.579{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.579{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x800000000000000014041172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.576{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014041171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.576{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014041170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014041169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014041168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014041167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014041166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014041165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014041164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014041163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014041162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014041161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 734700x800000000000000014041157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.570{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014041150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.575{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014041127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.554{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 12241200x800000000000000014041104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.554{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014041094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.542{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014041069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.538{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014041048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.537{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.535{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014041040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.535{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014041039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.533{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014041038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.532{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014041037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.532{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014041035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014041034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014041033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014041032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014041031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014041030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014041029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.531{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014041028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.530{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014041027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.530{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014041026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.530{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000014041025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.530{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000014041024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.530{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014041023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.530{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014041022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.529{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014041021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.529{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000014041020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.529{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014041019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.528{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014041016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.520{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014041015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.520{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014041014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.519{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014041013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.517{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014041012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.517{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014041011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.517{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014041010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.514{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014041009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.513{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014041008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.512{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014041007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.512{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014041006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.512{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014041005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.511{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014041004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.510{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014041003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.509{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014040998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.507{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014040991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.491{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014040987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.506{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014040976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.506{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014040975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.506{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014040974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.505{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014040973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.505{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014040972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.505{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014040971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.505{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014040969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.503{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014040966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.503{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 734700x800000000000000014040964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.487{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014040943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.502{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014040942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.501{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014040941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.501{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014040940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.501{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014040939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.500{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014040938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.498{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014040922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.483{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014040905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.495{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014040903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.495{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014040902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.494{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014040900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.493{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014040899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.493{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014040895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.492{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014040890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.488{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 12241200x800000000000000014040883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.486{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014040882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:26.486{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014040880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.486{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014040871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.484{8B6011A9-51ED-6143-1600-00000000F001}13247708C:\Windows\System32\svchost.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014040870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.484{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014040868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.482{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014040866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.479{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000014040861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.478{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014040860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.478{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014040858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.478{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014040857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.477{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014040856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.477{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014040855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.477{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014040854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.476{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 13241300x800000000000000014040853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:26.476{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b564-0x1fc034b6) 734700x800000000000000014040850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.476{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014040849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.476{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014040848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.476{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014040847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.475{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014040846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.475{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014040845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.475{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014040844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.474{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014040841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.474{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014040839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.473{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014040836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.472{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014040832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.472{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014040831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.472{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000014040830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.470{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014040829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.470{8B6011A9-EF7D-6151-C8C2-01000000F001}86488952C:\Windows\explorer.exe{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014040828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:26.470{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 734700x800000000000000014042043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.995{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014042039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.992{8B6011A9-B78F-6154-E916-02000000F001}9532C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014042037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.991{8B6011A9-B78F-6154-E916-02000000F001}9532C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014041988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.963{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000014041986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.958{8B6011A9-B78F-6154-E816-02000000F001}98126564C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B78F-6154-E916-02000000F001}9532C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014041985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.958{8B6011A9-B78F-6154-E916-02000000F001}9532C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014041984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.954{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014041983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.953{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000014041982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.944{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014041981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.944{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014041980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.943{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014041979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.941{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014041947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.924{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014041946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.923{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014041945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.921{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014041944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.920{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000014041943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.919{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014041942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.919{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014041941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.919{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014041940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.919{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 734700x800000000000000014041933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.636{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014041932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.636{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014041931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.635{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014041930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.511{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000014041929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.499{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.499{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.499{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014041926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.498{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014041925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000014041924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014041923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014041922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014041921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014041920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014041919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014041918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014041917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014041916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.497{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014041915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.496{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014041914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.496{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014041913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.496{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014041912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.496{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014041911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.496{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014041910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.495{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014041909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.494{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014041908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.494{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000014041907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.481{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014041906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.481{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014041905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.471{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014041904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.470{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000014041903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.470{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.470{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.470{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.470{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.469{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.469{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.469{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014041896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.467{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014041895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.466{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000014041894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.465{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014041893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.464{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014041892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.464{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014041890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014041889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014041888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014041887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014041886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014041885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014041884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.463{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014041883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.462{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014041882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.462{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014041881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.462{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014041880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:27.462{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014041879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.461{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014041878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.461{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000014041877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.460{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014041876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.460{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000014041875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.460{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014041874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.460{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014041873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.454{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014041872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.454{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014041871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.453{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000014041870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.451{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014041869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.451{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014041868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.446{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014041867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.445{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014041866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.443{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014041865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.427{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014041864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.426{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014041863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.426{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014041862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.424{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014041861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.423{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014041860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.420{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014041859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.420{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014041858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.415{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014041857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.412{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014041856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.410{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014041855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.367{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014041854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.365{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014041853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.208{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014041852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.207{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014041851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.207{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014041850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.206{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014041849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.205{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014041848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.205{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014041847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.204{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014041846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.202{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014041845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.202{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014041844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.202{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014041843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.202{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014041842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.201{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014041840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.200{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014041838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.199{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014041837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.198{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014041836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.197{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014041835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.196{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014041834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.196{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014041833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.196{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014041832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.195{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014041831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.194{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014041830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.194{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014041829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.193{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014041828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.193{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014041827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.190{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014041826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.188{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014041825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.187{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014041824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.179{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014041823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.163{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014041820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.156{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014041819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.152{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014041818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.147{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014041817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.136{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014041816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.134{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014041815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.133{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014041814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.121{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014041813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.118{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014041812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.117{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014041811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.116{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014041810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.110{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014041809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.108{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014041808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.102{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014041807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.097{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014041806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.084{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014041805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.083{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014041804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.082{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014041803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.082{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014041798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.082{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014041752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.077{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014041751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.077{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014041723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.072{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014041722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.068{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 534500x800000000000000014041669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.060{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exe 734700x800000000000000014041641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.054{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014041640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.053{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014041638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.052{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014041637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.052{8B6011A9-B78E-6154-E616-02000000F001}86529228C:\Windows\System32\WScript.exe{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014041636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.052{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014041610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.048{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014041609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:27.048{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014041582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:27.041{8B6011A9-B78E-6154-E616-02000000F001}8652C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 354300x800000000000000014042056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:42.758{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62015-false104.26.4.223-443https 22542200x800000000000000014042048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:43.833{8B6011A9-B78F-6154-E816-02000000F001}9812paste.ee0::ffff:104.26.4.223;::ffff:104.26.5.223;::ffff:172.67.68.88;C:\Windows\SysWOW64\wscript.exe 534500x800000000000000014042165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.044{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exe 13241300x800000000000000014042161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:30.040{8B6011A9-B792-6154-EB16-02000000F001}4256C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014042159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.040{8B6011A9-B792-6154-EB16-02000000F001}4256C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014042157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.039{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014042154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.038{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014042153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.038{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014042152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.038{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014042150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.037{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014042130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.024{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014042127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.024{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014042116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.020{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.020{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.020{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.019{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014042111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.019{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014042110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.019{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014042109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.018{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014042107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.018{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014042105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.018{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014042104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.017{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014042102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.017{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014042100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.017{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014042097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.016{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014042095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.016{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014042092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.015{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014042091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.015{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014042089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.015{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014042087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.014{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014042085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.014{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014042084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.014{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014042083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.013{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014042081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.013{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000014042080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.013{8B6011A9-B78F-6154-E816-02000000F001}98129768C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B792-6154-EB16-02000000F001}4256C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014042079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.013{8B6011A9-B792-6154-EB16-02000000F001}4256C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014042078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.013{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014042077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.012{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014042076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.012{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014042075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.011{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014042074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.011{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014042073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.010{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014042072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:30.010{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014042071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.010{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014042070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:30.010{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014042069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.010{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014042068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.009{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014042067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.009{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014042066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.008{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014042065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.008{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014042064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.008{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014042063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.007{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014042062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.007{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014042061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.005{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014042060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.004{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005440169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000AA3A80) 154100x800000000000000014042059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:30.004{8B6011A9-B792-6154-EA16-02000000F001}4984C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 13241300x800000000000000014042300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 18:59:32.084{8B6011A9-B794-6154-ED16-02000000F001}6472C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014042298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.083{8B6011A9-B794-6154-ED16-02000000F001}6472C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014042275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.069{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exe 734700x800000000000000014042261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.065{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014042260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014042259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014042258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014042257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014042255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.064{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014042251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.063{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014042250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.063{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014042249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.063{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014042247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.062{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014042245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.062{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014042244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.062{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014042242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.062{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014042240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.061{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014042238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.061{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014042236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.061{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014042234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.060{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014042232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.060{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014042229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.059{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014042227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.059{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014042225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.058{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014042224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.058{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014042223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.058{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014042221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.057{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 10341000x800000000000000014042220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.057{8B6011A9-B78F-6154-E816-02000000F001}98127396C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B794-6154-ED16-02000000F001}6472C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000014042219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.057{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 154100x800000000000000014042218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.057{8B6011A9-B794-6154-ED16-02000000F001}6472C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014042217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.057{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014042216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.057{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014042215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.056{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014042214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.056{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014042213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.055{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014042212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.055{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014042211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.054{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014042210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:32.054{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014042209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.054{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014042208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 18:59:32.053{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014042207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.053{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014042206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.053{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014042205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.053{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014042204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.052{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014042203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.052{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014042202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.052{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014042201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.051{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014042200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.051{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014042199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.048{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014042198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.048{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000056A0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000AA3AB0) 154100x800000000000000014042197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:32.048{8B6011A9-B794-6154-EC16-02000000F001}6136C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 534500x800000000000000014042411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.214{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014042408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.191{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014042407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.191{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014042406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.191{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014042405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.191{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014042404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.191{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014042403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014042402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014042401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014042400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014042399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014042398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014042397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.190{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014042396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.189{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014042395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.189{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014042394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.189{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014042393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.189{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014042392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.188{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000014042391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-29 18:59:34.188{8B6011A9-B78F-6154-E816-02000000F001}9812\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014042390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.187{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000014042389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.187{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000014042388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.184{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014042387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.183{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014042386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.183{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014042385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.183{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014042384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014042383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014042382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014042381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014042380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014042379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014042378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014042377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.182{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014042376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.181{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000014042375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.181{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014042374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.181{8B6011A9-B78F-6154-E816-02000000F001}9812ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014042373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.179{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014042372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.178{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014042371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.178{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014042370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.178{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014042369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.178{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014042368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.178{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014042367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.178{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014042366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.175{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000014042365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.173{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014042364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.156{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000014042363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.148{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exe 734700x800000000000000014042362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.145{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014042361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.144{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014042360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.144{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014042359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.144{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014042358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.144{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.144{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014042356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.144{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014042355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.143{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014042354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.143{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014042353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.143{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014042352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.143{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014042351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.142{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014042350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.142{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014042349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.142{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014042348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.141{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014042347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.141{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014042346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.141{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014042345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.141{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014042344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.140{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014042343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.140{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014042342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.139{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014042341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.139{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014042340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.139{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014042339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.139{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014042338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.138{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014042337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.138{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014042336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.138{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014042335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.137{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014042334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.137{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014042333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.137{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014042332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.137{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014042331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.136{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014042330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.135{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014042329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.135{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014042328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.134{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014042327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.134{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014042326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.134{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014042325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.134{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014042324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.133{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014042323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.133{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014042322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.133{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014042321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.132{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014042320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.132{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014042319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.130{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014042318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.129{8B6011A9-B78F-6154-E816-02000000F001}98122192C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000006BA0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000AA3AE0) 154100x800000000000000014042317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 18:59:34.129{8B6011A9-B796-6154-EE16-02000000F001}5376C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B78F-6154-E816-02000000F001}9812C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014049280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:20.640{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014049279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:20.640{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 354300x800000000000000014049413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:35.925{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62265-false46.43.90.184-7676- 734700x800000000000000014049459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.161{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=31B320D99570E7D6FFE82CED32FD3863,SHA256=66782B6B23A96A8CA8D1B6EEACA4296683B90DB006015D00DBC4E3B8D51B5995trueMicrosoft WindowsValid 734700x800000000000000014049458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.126{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014049457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.126{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014049456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.126{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 10341000x800000000000000014049455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.115{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014049454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.115{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014049453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:33.115{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 354300x800000000000000014049470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:48.701{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62280-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 534500x800000000000000014050125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.822{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe 11241100x800000000000000014050124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.820{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Users\Administrator\AppData\Local\Temp\2\tysnoiedjtmjqhceqdokgxyizdb2021-09-29 19:07:50.819 10341000x800000000000000014050121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.818{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.818{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-823B-6153-58F2-01000000F001}6948C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.818{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-55EC-01000000F001}1288C:\Program Files\OpenJDK\jdk-17\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.818{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-54EC-01000000F001}944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.818{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-53EC-01000000F001}2752C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.818{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-03CE-6152-6BC5-01000000F001}5616C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-EF7E-6151-CAC2-01000000F001}7568C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-EF7D-6151-C9C2-01000000F001}8792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-74DF-614B-81FF-00000000F001}7172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-74DF-614B-80FF-00000000F001}5360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-732C-614B-EFFE-00000000F001}8120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.817{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-7322-614B-EAFE-00000000F001}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-731A-614B-E9FE-00000000F001}6496C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-7319-614B-E8FE-00000000F001}7124C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-7308-614B-E6FE-00000000F001}7888C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-72C8-614B-DCFE-00000000F001}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-6F8B-614B-57FE-00000000F001}5432C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-6F8B-614B-56FE-00000000F001}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-28AA-614B-6AF5-00000000F001}5236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-28AA-614B-69F5-00000000F001}2456C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.816{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-284B-614B-48F5-00000000F001}2824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-284B-614B-47F5-00000000F001}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2691-614B-10F5-00000000F001}5132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2691-614B-0FF5-00000000F001}6436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2539-614B-DAF4-00000000F001}7548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2539-614B-D9F4-00000000F001}4792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2491-614B-C4F4-00000000F001}2720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.815{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2491-614B-C3F4-00000000F001}6928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-9D25-614A-D7E4-00000000F001}3984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-9D25-614A-D6E4-00000000F001}7188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-9918-614A-56E4-00000000F001}3868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-988D-614A-16E4-00000000F001}2416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97DA-614A-DBE3-00000000F001}6016C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D5E3-00000000F001}7952C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.814{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D4E3-00000000F001}6812C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D2E3-00000000F001}5600C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D1-614A-D1E3-00000000F001}8072C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-300B-614A-57D4-00000000F001}7096C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-300B-614A-56D4-00000000F001}4212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B6A6-6148-C6A7-00000000F001}5816C:\Windows\syswow64\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B669-6148-BEA7-00000000F001}4596C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B669-6148-BDA7-00000000F001}5640C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.813{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B668-6148-BCA7-00000000F001}2096C:\Windows\SysWOW64\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5E83-6143-0A07-00000000F001}5748C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CD06-00000000F001}2812C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CB06-00000000F001}5084C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CA06-00000000F001}504C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000014050073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE5-6143-C906-00000000F001}5096C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x800000000000000014050072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 10341000x800000000000000014050071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.812{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE5-6143-C806-00000000F001}4884C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+456d8(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x800000000000000014050070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.803{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=3E0252D377C7905383A3780B13495CA9,SHA256=FD24AD22E174873DEDC5BB091A9E32CF2689063C5B18E79615B3B52081582FADtrueMicrosoft WindowsValid 734700x800000000000000014050069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.803{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\vaultcli.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=409A29B1256F511E902B06665240FAB6,SHA256=5E2D6AC618928A94A5BCD13ECD8A4F7CD886A2FF14D745A5E5D254712360D07DtrueMicrosoft WindowsValid 734700x800000000000000014050068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.801{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\pstorec.dll10.0.14393.0 (rs1_release.160715-1616)Deprecated Protected Storage COM interfacesMicrosoft® Windows® Operating SystemMicrosoft Corporationpstorec.dllMD5=41AFC2542BE18E3DDE3F40946958D4AD,SHA256=4A526B86E47EA9DE7081A90B1473487F23FA74AF18D4FF8CA2A08EEEC08A8FEFtrueMicrosoft WindowsValid 734700x800000000000000014050067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.800{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014050066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.799{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014050065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.799{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 13241300x800000000000000014050064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:07:50.796{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014050063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:07:50.796{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014050062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:07:50.796{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000014050061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.795{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014050060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.795{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014050059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.793{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 10341000x800000000000000014050058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.793{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014050057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.792{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014050056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.792{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-823B-6153-58F2-01000000F001}6948C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-55EC-01000000F001}1288C:\Program Files\OpenJDK\jdk-17\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-54EC-01000000F001}944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-53EC-01000000F001}2752C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-03CE-6152-6BC5-01000000F001}5616C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-EF7E-6151-CAC2-01000000F001}7568C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-EF7D-6151-C9C2-01000000F001}8792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.791{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-74DF-614B-81FF-00000000F001}7172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-74DF-614B-80FF-00000000F001}5360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-732C-614B-EFFE-00000000F001}8120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-7322-614B-EAFE-00000000F001}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-731A-614B-E9FE-00000000F001}6496C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-7319-614B-E8FE-00000000F001}7124C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-7308-614B-E6FE-00000000F001}7888C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-72C8-614B-DCFE-00000000F001}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-6F8B-614B-57FE-00000000F001}5432C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-6F8B-614B-56FE-00000000F001}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.790{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-28AA-614B-6AF5-00000000F001}5236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-28AA-614B-69F5-00000000F001}2456C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-284B-614B-48F5-00000000F001}2824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-284B-614B-47F5-00000000F001}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2691-614B-10F5-00000000F001}5132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2691-614B-0FF5-00000000F001}6436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2539-614B-DAF4-00000000F001}7548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2539-614B-D9F4-00000000F001}4792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2491-614B-C4F4-00000000F001}2720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.789{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-2491-614B-C3F4-00000000F001}6928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-9D25-614A-D7E4-00000000F001}3984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-9D25-614A-D6E4-00000000F001}7188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-9918-614A-56E4-00000000F001}3868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-988D-614A-16E4-00000000F001}2416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97DA-614A-DBE3-00000000F001}6016C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D5E3-00000000F001}7952C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D4E3-00000000F001}6812C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.788{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D2E3-00000000F001}5600C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-97D1-614A-D1E3-00000000F001}8072C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-300B-614A-57D4-00000000F001}7096C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-300B-614A-56D4-00000000F001}4212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B6A6-6148-C6A7-00000000F001}5816C:\Windows\syswow64\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B669-6148-BEA7-00000000F001}4596C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B669-6148-BDA7-00000000F001}5640C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-B668-6148-BCA7-00000000F001}2096C:\Windows\SysWOW64\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5E83-6143-0A07-00000000F001}5748C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.787{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CD06-00000000F001}2812C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.786{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CB06-00000000F001}5084C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.786{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CA06-00000000F001}504C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000014050008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.786{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE5-6143-C906-00000000F001}5096C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 734700x800000000000000014050007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.786{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 10341000x800000000000000014050006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.786{8B6011A9-B986-6154-2B17-02000000F001}98049520C:\Windows\winhlp32.exe{8B6011A9-5DE5-6143-C806-00000000F001}4884C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+13de6(wow64)|C:\Windows\winhlp32.exe+de88(wow64)|C:\Windows\winhlp32.exe+e06b(wow64)|C:\Windows\winhlp32.exe+e521(wow64)|C:\Windows\winhlp32.exe+e6a3(wow64)|C:\Windows\winhlp32.exe+c2d8(wow64)|C:\Windows\winhlp32.exe+c7a7(wow64)|C:\Windows\winhlp32.exe+45561(wow64)|C:\Windows\winhlp32.exe+3335(wow64)|C:\Windows\winhlp32.exe+11157(wow64)|C:\Windows\winhlp32.exe+1285b(wow64)|C:\Windows\winhlp32.exe+4688c(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 534500x800000000000000014050005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.742{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exe 11241100x800000000000000014050004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.741{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Users\Administrator\AppData\Local\Temp\2\ebffoaoexbenavqizobmrctzijlschk2021-09-29 19:07:50.740 734700x800000000000000014050003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.740{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014050002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.739{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014050001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.739{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 10341000x800000000000000014050000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.738{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014049999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.738{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014049998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.737{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.737{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.737{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-8A88-6153-59F3-01000000F001}9584C:\Windows\SysWOW64\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.737{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-823B-6153-58F2-01000000F001}6948C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.737{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-55EC-01000000F001}1288C:\Program Files\OpenJDK\jdk-17\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.737{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-54EC-01000000F001}944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-4EEC-6153-53EC-01000000F001}2752C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-03CE-6152-6BC5-01000000F001}5616C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-EF7E-6151-CAC2-01000000F001}7568C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-EF7D-6151-C9C2-01000000F001}8792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-74DF-614B-81FF-00000000F001}7172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-74DF-614B-80FF-00000000F001}5360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-732C-614B-EFFE-00000000F001}8120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-7322-614B-EAFE-00000000F001}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-731A-614B-E9FE-00000000F001}6496C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-7319-614B-E8FE-00000000F001}7124C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-7308-614B-E6FE-00000000F001}7888C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-72C8-614B-DCFE-00000000F001}2212C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-6F8B-614B-57FE-00000000F001}5432C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-6F8B-614B-56FE-00000000F001}2184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-28AA-614B-6AF5-00000000F001}5236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.736{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-28AA-614B-69F5-00000000F001}2456C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-284B-614B-48F5-00000000F001}2824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-284B-614B-47F5-00000000F001}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-2691-614B-10F5-00000000F001}5132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-2691-614B-0FF5-00000000F001}6436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-2539-614B-DAF4-00000000F001}7548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-2539-614B-D9F4-00000000F001}4792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-2491-614B-C4F4-00000000F001}2720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-2491-614B-C3F4-00000000F001}6928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-9D25-614A-D7E4-00000000F001}3984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-9D25-614A-D6E4-00000000F001}7188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-9918-614A-56E4-00000000F001}3868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 734700x800000000000000014049941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.725{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\pstorec.dll10.0.14393.0 (rs1_release.160715-1616)Deprecated Protected Storage COM interfacesMicrosoft® Windows® Operating SystemMicrosoft Corporationpstorec.dllMD5=41AFC2542BE18E3DDE3F40946958D4AD,SHA256=4A526B86E47EA9DE7081A90B1473487F23FA74AF18D4FF8CA2A08EEEC08A8FEFtrueMicrosoft WindowsValid 10341000x800000000000000014049940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.735{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-988D-614A-16E4-00000000F001}2416C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-97DA-614A-DBE3-00000000F001}6016C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D5E3-00000000F001}7952C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D4E3-00000000F001}6812C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-97D3-614A-D2E3-00000000F001}5600C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-97D1-614A-D1E3-00000000F001}8072C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-300B-614A-57D4-00000000F001}7096C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-300B-614A-56D4-00000000F001}4212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-1840-614A-67D1-00000000F001}5000C:\Windows\system32\fontdrvhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-B6A6-6148-C6A7-00000000F001}5816C:\Windows\syswow64\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-B669-6148-BEA7-00000000F001}4596C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.734{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-B669-6148-BDA7-00000000F001}5640C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-B668-6148-BCA7-00000000F001}2096C:\Windows\SysWOW64\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-84D4-6143-AE0B-00000000F001}5484C:\Windows\PSEXESVC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5E83-6143-0A07-00000000F001}5748C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CD06-00000000F001}2812C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CB06-00000000F001}5084C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE6-6143-CA06-00000000F001}504C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE5-6143-C906-00000000F001}5096C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE5-6143-C806-00000000F001}4884C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE4-6143-C406-00000000F001}4312C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.733{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5DE3-6143-C206-00000000F001}4648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5278-6143-9200-00000000F001}3168C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-520E-6143-7600-00000000F001}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-5208-6143-6D00-00000000F001}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FF-6143-4700-00000000F001}3708C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FF-6143-4400-00000000F001}3644C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FE-6143-3700-00000000F001}3320C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-3300-00000000F001}2468C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-3000-00000000F001}1948C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2F00-00000000F001}3036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2D00-00000000F001}3004C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2C00-00000000F001}2996C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2B00-00000000F001}2988C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2A00-00000000F001}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2900-00000000F001}2972C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2800-00000000F001}2964C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2700-00000000F001}2860C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.732{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2600-00000000F001}2840C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51FD-6143-2500-00000000F001}2772C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51F7-6143-2300-00000000F001}2612C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51F1-6143-2100-00000000F001}2500C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51F1-6143-2000-00000000F001}2492C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 534500x800000000000000014049896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exe 10341000x800000000000000014049895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51EE-6143-1D00-00000000F001}2072C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1700-00000000F001}1484C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1600-00000000F001}1324C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1400-00000000F001}1048C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1300-00000000F001}388C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1200-00000000F001}692C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1100-00000000F001}420C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-1000-00000000F001}96C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-0F00-00000000F001}300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-0E00-00000000F001}1012C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-0D00-00000000F001}908C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51ED-6143-0C00-00000000F001}852C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51EB-6143-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 10341000x800000000000000014049881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.731{8B6011A9-B986-6154-2C17-02000000F001}89124692C:\Windows\winhlp32.exe{8B6011A9-51EB-6143-0900-00000000F001}572C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\winhlp32.exe+11305(wow64)|C:\Windows\winhlp32.exe+115ed(wow64)|C:\Windows\winhlp32.exe+44a3(wow64)|C:\Windows\winhlp32.exe+49fc(wow64)|C:\Windows\winhlp32.exe+428d(wow64)|C:\Windows\winhlp32.exe+4333(wow64)|C:\Windows\winhlp32.exe+43da(wow64)|C:\Windows\winhlp32.exe+103ed(wow64)|C:\Windows\winhlp32.exe+dcd8(wow64)|C:\Windows\winhlp32.exe+f136(wow64)|C:\Windows\winhlp32.exe+3ef5(wow64)|UNKNOWN(00000000240A1248) 11241100x800000000000000014049880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.730{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Users\Administrator\AppData\Local\Temp\2\gvlyptzyljwsdcmmiyofuonprydtwsbygd2021-09-29 19:07:50.730 734700x800000000000000014049879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.728{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014049878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.728{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014049877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.728{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 10341000x800000000000000014049876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.727{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014049875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.727{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014049874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.725{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014049872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.725{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014049870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.724{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014049869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.723{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014049868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.716{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014049867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.715{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014049843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.700{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014049842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.699{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014049841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_e8ebe5c0ed79850d\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=DB9EEA6E4C32315294D22E0C86077356,SHA256=7A60A27BB6178CDF126AFB37DE5AD77F687C33B4326624962CEE26F7361ADC6AtrueMicrosoft WindowsValid 734700x800000000000000014049840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.698{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014049839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.691{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_e8ebe5c0ed79850d\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=DB9EEA6E4C32315294D22E0C86077356,SHA256=7A60A27BB6178CDF126AFB37DE5AD77F687C33B4326624962CEE26F7361ADC6AtrueMicrosoft WindowsValid 734700x800000000000000014049838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.698{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014049837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.689{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_e8ebe5c0ed79850d\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=DB9EEA6E4C32315294D22E0C86077356,SHA256=7A60A27BB6178CDF126AFB37DE5AD77F687C33B4326624962CEE26F7361ADC6AtrueMicrosoft WindowsValid 734700x800000000000000014049836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.698{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014049835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.698{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014049834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.698{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014049833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.697{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014049832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.697{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014049831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.696{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014049830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.696{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014049829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.696{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014049828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.696{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014049827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.696{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014049826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.695{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014049825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.695{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014049824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.695{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014049823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.695{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014049822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.695{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014049821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.695{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValid 734700x800000000000000014049820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.694{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014049819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.694{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014049818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.694{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014049817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.694{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014049816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.693{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014049815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.693{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014049814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.693{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014049813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.693{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014049812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.693{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014049811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.693{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014049809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.692{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014049808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.692{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014049807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.692{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014049806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.692{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014049805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.692{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014049804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.692{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014049803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.691{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014049802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.691{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValid 734700x800000000000000014049801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.691{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014049800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.691{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014049799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.691{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014049798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014049797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014049796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014049795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014049794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014049793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014049792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.690{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014049791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.689{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014049790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.689{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014049789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.688{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValid 734700x800000000000000014049788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.684{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014049787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.683{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014049786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.683{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014049785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.682{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014049784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.682{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014049783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.681{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014049782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.681{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014049781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.681{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014049780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.681{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014049779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.680{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014049778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.679{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014049777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.679{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014049776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.679{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014049775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.678{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014049774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.678{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014049773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.678{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014049772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.678{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014049771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.677{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014049770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.677{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014049769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.677{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014049768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.677{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014049767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.677{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014049766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014049765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014049764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014049763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014049762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014049761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014049760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.676{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014049759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.675{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014049758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.675{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014049757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.675{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014049756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.675{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014049755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.675{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014049754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014049753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014049752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014049751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014049750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014049749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014049748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 734700x800000000000000014049747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.674{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014049746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014049745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014049744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014049743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000014049742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x800000000000000014049741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014049740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.672{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 10341000x800000000000000014049739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.672{8B6011A9-B6E1-6154-C916-02000000F001}63525384C:\Windows\winhlp32.exe{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\winhlp32.exe+14196(wow64)|C:\Windows\winhlp32.exe+1433b(wow64)|C:\Windows\winhlp32.exe+10537(wow64)|C:\Windows\winhlp32.exe+102d7(wow64)|C:\Windows\winhlp32.exe+4d84(wow64)|C:\Windows\winhlp32.exe+4c44(wow64)|C:\Windows\winhlp32.exe+101f5(wow64)|C:\Windows\winhlp32.exe+12a34(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x800000000000000014049738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.672{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 154100x800000000000000014049737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.673{8B6011A9-B986-6154-2D17-02000000F001}6464C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEC:\Windows\winhlp32.exe /stext "C:\Users\Administrator\AppData\Local\Temp\2\gvlyptzyljwsdcmmiyofuonprydtwsbygd"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 734700x800000000000000014049736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.672{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014049735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.672{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014049734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.672{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 734700x800000000000000014049733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.671{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014049732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.671{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 10341000x800000000000000014049731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.671{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x800000000000000014049730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.671{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 10341000x800000000000000014049729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.670{8B6011A9-B6E1-6154-C916-02000000F001}63525384C:\Windows\winhlp32.exe{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\winhlp32.exe+14196(wow64)|C:\Windows\winhlp32.exe+1433b(wow64)|C:\Windows\winhlp32.exe+104b4(wow64)|C:\Windows\winhlp32.exe+102d7(wow64)|C:\Windows\winhlp32.exe+4d84(wow64)|C:\Windows\winhlp32.exe+4c44(wow64)|C:\Windows\winhlp32.exe+101f5(wow64)|C:\Windows\winhlp32.exe+12a34(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000014049728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.671{8B6011A9-B986-6154-2C17-02000000F001}8912C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEC:\Windows\winhlp32.exe /stext "C:\Users\Administrator\AppData\Local\Temp\2\ebffoaoexbenavqizobmrctzijlschk"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 734700x800000000000000014049727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.670{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014049726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.670{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014049725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.669{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014049724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.668{8B6011A9-B6E1-6154-C916-02000000F001}63525384C:\Windows\winhlp32.exe{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\winhlp32.exe+14196(wow64)|C:\Windows\winhlp32.exe+1433b(wow64)|C:\Windows\winhlp32.exe+10428(wow64)|C:\Windows\winhlp32.exe+102d7(wow64)|C:\Windows\winhlp32.exe+4d84(wow64)|C:\Windows\winhlp32.exe+4c44(wow64)|C:\Windows\winhlp32.exe+101f5(wow64)|C:\Windows\winhlp32.exe+12a34(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000014049723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:50.669{8B6011A9-B986-6154-2B17-02000000F001}9804C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEC:\Windows\winhlp32.exe /stext "C:\Users\Administrator\AppData\Local\Temp\2\tysnoiedjtmjqhceqdokgxyizdb"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 354300x800000000000000014049697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:03.497{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62287-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 23542300x800000000000000014050128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:07:51.175{8B6011A9-B6E1-6154-C916-02000000F001}6352ATTACKRANGE\AdministratorC:\Windows\winhlp32.exeC:\Users\Administrator\AppData\Local\Temp\2\tysnoiedjtmjqhceqdokgxyizdbMD5=43CE8A8C022FF2D85D4BD19797EFFC55,SHA256=CCEA5FEEAFBD66FCB18CB159331BF9DAB676EAF1E2B90E069F53C16271774253falsetrue 534500x800000000000000014050689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.884{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exe 23542300x800000000000000014050688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.882{8B6011A9-B9AE-6154-3217-02000000F001}8908ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\rmfgfpdhwdikg.vbsMD5=2FCC53839A07381C433BEBE1F3BD1B7F,SHA256=71F0A43E515536C7786776AEAEDB1087E4675D4E7EDC83B36BC89327CF2571DDfalsetrue 734700x800000000000000014050687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.881{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014050686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.880{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014050685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.877{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014050684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.875{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014050683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.875{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014050682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.875{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014050681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.875{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014050680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.874{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014050679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.874{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014050678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.874{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014050677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.873{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014050676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.872{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014050675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.872{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014050674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.871{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014050673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.870{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014050672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.870{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014050671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.869{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014050670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.867{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014050669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.865{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014050668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.865{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014050667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.864{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014050666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.863{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014050665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.862{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014050664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.861{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014050663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.861{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014050662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.858{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014050661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.857{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014050660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.853{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014050659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.853{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014050658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.852{8B6011A9-51ED-6143-0C00-00000000F001}8528212C:\Windows\system32\svchost.exe{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014050657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.851{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014050656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.851{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014050655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.851{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014050654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.850{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014050653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.848{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014050652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.847{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014050651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.847{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014050650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.846{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014050649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.846{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014050648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.846{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014050647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.845{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014050646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.845{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014050645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.845{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014050644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.845{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014050643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.844{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014050642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.844{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014050641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.844{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014050640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.844{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014050639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.843{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014050638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.843{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014050637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.843{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014050636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.842{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014050635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.841{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014050634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.841{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 534500x800000000000000014050633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.840{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe 734700x800000000000000014050632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.840{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014050631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.840{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014050630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.840{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014050629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.840{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014050628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.839{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014050627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.839{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014050626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.839{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014050625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.838{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014050624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.838{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x800000000000000014050623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.838{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000014050622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.838{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 734700x800000000000000014050621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.837{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014050620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.837{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014050619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.836{8B6011A9-B6E1-6154-C916-02000000F001}63529348C:\Windows\winhlp32.exe{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014050618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.836{8B6011A9-B9AE-6154-3217-02000000F001}8908C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\2\rmfgfpdhwdikg.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 13241300x800000000000000014050617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:08:30.833{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014050616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:08:30.833{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014050615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:08:30.832{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014050614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:08:30.832{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014050613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.831{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014050612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.822{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList 734700x800000000000000014050611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.821{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 12241200x800000000000000014050610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.818{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\RegisteredApplications 12241200x800000000000000014050609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.818{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\SOFTWARE\RegisteredApplications 13241300x800000000000000014050608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:08:30.818{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFileBinary Data 12241200x800000000000000014050607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.818{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids 12241200x800000000000000014050606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.818{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x800000000000000014050605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.815{8B6011A9-51ED-6143-0C00-00000000F001}8528212C:\Windows\system32\svchost.exe{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014050604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.814{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014050603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:08:30.813{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014050602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.807{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014050601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.801{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014050599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.789{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 11241100x800000000000000014050598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:08:30.787{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\rmfgfpdhwdikg.vbs2021-09-29 19:08:30.787 12241200x800000000000000014050597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-09-29 19:08:30.787{8B6011A9-B6E1-6154-C916-02000000F001}6352C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 534500x800000000000000014132846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.998{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exe 734700x800000000000000014132845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.998{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014132844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.997{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014132843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.997{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014132842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.997{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014132841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.996{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014132840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.995{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014132839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.995{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014132838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.994{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014132837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.993{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014132836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.993{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014132835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.993{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014132834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.993{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014132833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.992{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014132832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.992{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014132831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.991{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014132830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.991{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014132829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.991{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014132828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.990{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014132827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.990{8B6011A9-B9FB-6154-A419-02000000F001}17041164C:\Windows\System32\WScript.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014132826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.989{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014132825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.985{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014132824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.982{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014132823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.977{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014132708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.894{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014132707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.892{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014132706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.890{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014132705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.889{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014132704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.888{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014132703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.888{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014132702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.887{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000014132701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.887{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 10341000x800000000000000014132695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.850{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.850{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.812{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a9f81|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.812{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a9f6e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.812{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Users\Administrator\Downloads\procexp64.exe+a9e0f|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.805{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.805{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.804{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\winsta.dll+1178|C:\Windows\SYSTEM32\winsta.dll+10b5|C:\Users\Administrator\Downloads\procexp64.exe+a5184|C:\Users\Administrator\Downloads\procexp64.exe+a951e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.804{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a9381|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014132084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.606{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014132083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.605{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014132082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.604{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014132034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.494{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000014132032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.481{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.481{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.481{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.481{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.481{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.481{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014132026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.480{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014132025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014132024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014132023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014132022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014132021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014132020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014132019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014132018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014132017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014132016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014132015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014132014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014132013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.479{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014132012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.478{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014132011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.478{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014132010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.477{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014132009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.477{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 10341000x800000000000000014132004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.468{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.468{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000014131944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.463{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014131938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.463{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014131830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.452{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014131828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014131827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.451{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014131817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.449{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014131814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.448{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014131808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.447{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014131807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.446{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014131806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.446{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014131801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014131800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014131799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014131798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014131797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014131795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014131794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.445{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014131793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.444{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 13241300x800000000000000014131792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.444{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014131791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.444{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014131790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.444{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000014131789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.444{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014131788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.444{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014131787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.443{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014131786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.443{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000014131785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.443{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014131784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.443{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014131783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.442{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014131781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.442{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014131778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.441{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014131771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.439{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014131770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.439{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014131768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.438{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014131760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.435{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014131749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.431{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 10341000x800000000000000014131739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.427{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014131738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.427{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014131553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.399{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014131529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.378{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014131528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.378{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014131527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.377{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014131526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.375{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014131524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.361{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014131515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.357{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014131514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.357{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014131513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.356{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014131512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.356{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014131511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.356{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014131510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.355{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014131507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.355{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014131505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.355{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014131504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.354{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014131503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.354{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000014131502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.353{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014131501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.353{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014131500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.352{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014131499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.352{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014131498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.351{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014131497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.350{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014131496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.349{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014131495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.349{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014131494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.349{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014131490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.348{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014131488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.347{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014131477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.342{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014131476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.341{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014131470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.339{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014131468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.338{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014131466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.337{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014131465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:47.337{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014131458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.336{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014131455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.334{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014131454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.334{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014131453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.334{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014131451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.333{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014131447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.330{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 13241300x800000000000000014131445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:47.330{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b565-0x91cf106c) 734700x800000000000000014131441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.329{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014131440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.329{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014131439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.328{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014131438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.328{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014131437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.328{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014131436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.328{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014131435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.327{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014131434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.327{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014131432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.327{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014131431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.327{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014131430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.326{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014131429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.326{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014131428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.326{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014131427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.326{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014131424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.325{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014131418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.324{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014131416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.324{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014131407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.323{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014131405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.323{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000014131399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.322{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014131398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.321{8B6011A9-EF7D-6151-C8C2-01000000F001}86488760C:\Windows\explorer.exe{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014131397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.320{8B6011A9-B9FB-6154-A419-02000000F001}1704C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 10341000x800000000000000014134897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.928{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.928{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.879{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.879{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.854{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a9f81|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.854{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a9f6e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.854{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Users\Administrator\Downloads\procexp64.exe+a9e0f|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.848{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\winsta.dll+1178|C:\Windows\SYSTEM32\winsta.dll+10b5|C:\Users\Administrator\Downloads\procexp64.exe+a5184|C:\Users\Administrator\Downloads\procexp64.exe+a951e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.848{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a9381|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014134343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.792{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014134339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.788{8B6011A9-B9FC-6154-B919-02000000F001}8232C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014134337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.787{8B6011A9-B9FC-6154-B919-02000000F001}8232C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 10341000x800000000000000014134159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.655{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014134158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.654{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014133966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.629{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000014133962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.628{8B6011A9-B9FB-6154-AE19-02000000F001}76284620C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B9FC-6154-B919-02000000F001}8232C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014133961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.628{8B6011A9-B9FC-6154-B919-02000000F001}8232C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014133954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.623{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014133947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.621{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 10341000x800000000000000014133920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.609{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014133919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.609{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000014133903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.608{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014133899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.608{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014133888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.608{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014133741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.591{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014133677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.568{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014133671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.559{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014133670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.556{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014133669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.555{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000014133668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.553{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014133667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.553{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014133666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.552{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014133665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.549{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 10341000x800000000000000014133519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.397{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014133518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.397{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014133296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.355{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014133295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.355{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014133056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.250{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014133055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.250{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014133054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.248{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014132962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.136{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000014132961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.121{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.120{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.120{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014132958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.120{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014132957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.119{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000014132956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.117{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014132955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.117{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014132954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.117{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014132953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.117{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014132952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.117{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014132951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.117{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014132950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014132949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014132948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014132947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014132946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014132945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014132944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.116{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014132943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.115{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014132942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.114{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014132941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.113{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014132940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.111{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000014132939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.095{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014132938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.095{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014132935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.082{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014132934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000014132933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.079{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.078{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014132926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.076{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014132925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.076{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000014132924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.070{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014132923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.070{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014132922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.070{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000014132920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 13241300x800000000000000014132919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014132918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014132917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014132916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014132915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014132914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014132913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014132912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.068{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014132911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.067{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 13241300x800000000000000014132910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.066{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014132909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.066{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014132908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.066{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014132907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:48.066{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014132906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.065{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014132905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.065{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014132904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.064{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014132903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.063{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014132902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.062{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014132901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.060{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000014132900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.058{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.058{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014132898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.054{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014132897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.052{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014132896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.052{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014132895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.052{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014132894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.051{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014132893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.051{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014132892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.049{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014132891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.036{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014132890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.032{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014132889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.032{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014132888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.031{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014132887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.031{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014132886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.031{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014132885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.031{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014132884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.030{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014132883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.030{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014132882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.027{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014132881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.024{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014132880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.023{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014132879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.022{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014132878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.022{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014132877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.020{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014132876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.018{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014132875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.018{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014132874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.018{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014132873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.017{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014132872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.016{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014132871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.016{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014132870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.011{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014132869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.010{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014132868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.009{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014132867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.008{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014132866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.008{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014132865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:48.008{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014132864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.007{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.006{8B6011A9-51ED-6143-1600-00000000F001}13242576C:\Windows\System32\svchost.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014132862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.006{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014132861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.005{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014132860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.005{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014132859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.002{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014132858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.001{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014132857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.001{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014132856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.001{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014132855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.000{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014132854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.000{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014132853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:48.000{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014132852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.999{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014132851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.999{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014132850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.999{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014132849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.998{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014132848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.998{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014132847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:47.998{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 10341000x800000000000000014137274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.938{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.938{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.910{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.910{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.910{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.896{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.896{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.696{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.696{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.657{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.657{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.456{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014136034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.456{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014135807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.415{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014135806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.415{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014135465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.198{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014135464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.198{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014135237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.158{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014135236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:49.157{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.963{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.962{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.962{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.962{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.950{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a9f81|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.950{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a9f6e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.949{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Users\Administrator\Downloads\procexp64.exe+a9e0f|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.940{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\winsta.dll+1178|C:\Windows\SYSTEM32\winsta.dll+10b5|C:\Users\Administrator\Downloads\procexp64.exe+a5184|C:\Users\Administrator\Downloads\procexp64.exe+a951e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.940{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a9381|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.938{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.938{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.938{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.914{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.914{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.914{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014139380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.914{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014139195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.890{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014139194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.890{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014139193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.890{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014139192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.889{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014139191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.889{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014139190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.889{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014139189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.889{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014139187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.888{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014139164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.876{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014139157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.874{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014139155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.873{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 10341000x800000000000000014139137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.862{8B6011A9-B9FB-6154-AE19-02000000F001}76287620C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B9FE-6154-E519-02000000F001}7684C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014139136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.863{8B6011A9-B9FE-6154-E519-02000000F001}7684C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014139135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.861{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014139134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014139133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014139132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:50.859{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014139131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.859{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014139130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:50.859{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014139129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.859{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014139128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.859{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014139127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.858{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014139126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.858{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014139125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.858{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014139124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.857{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014139123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.857{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014139122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.857{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014139121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.854{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014139120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.854{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005910169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(000000000316BA80) 154100x800000000000000014139119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.854{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 10341000x800000000000000014138984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.702{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014138983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.702{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014138757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.661{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014138756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.661{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x800000000000000014138417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:04.454{8B6011A9-B9FB-6154-AE19-02000000F001}7628paste.ee0::ffff:172.67.68.88;::ffff:104.26.5.223;::ffff:104.26.4.223;C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014138412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.457{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014138411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.457{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014138177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.413{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014138176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.413{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.204{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.204{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.162{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014137610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:50.162{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.990{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.990{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.990{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.726{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.726{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.726{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.726{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.686{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.686{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.686{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.686{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.474{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.474{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.473{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.473{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014140799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.460{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014140797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.459{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 10341000x800000000000000014140739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.433{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.433{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.433{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.433{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.232{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.232{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.232{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.232{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014140298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.226{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014140262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.224{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014140255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.224{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 12241200x800000000000000014140211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.214{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014140210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.214{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014140208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.214{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014140207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.213{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014140205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.213{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014140200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.212{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 12241200x800000000000000014140197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.212{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014140196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.211{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014140195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.211{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014140194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.211{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014140192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.211{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014140191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.211{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014140188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.210{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014140185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.209{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014140184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.208{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.208{8B6011A9-51EB-6143-0B00-00000000F001}6328288C:\Windows\system32\lsass.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014140182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:51.207{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014140181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.207{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014140180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:51.207{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014140178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:51.207{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014140176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.207{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014140166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.203{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014140164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.202{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 10341000x800000000000000014140136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.191{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.191{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.191{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014140132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.191{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014140090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:51.189{8B6011A9-B9FE-6154-E519-02000000F001}7684C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014140082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.188{8B6011A9-B9FE-6154-E519-02000000F001}7684C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014140026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.185{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014140023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.184{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014140016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.184{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014139998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.183{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014139937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.168{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014139936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.168{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014139934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.167{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014139932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.167{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014139929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.165{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014139924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.163{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014139920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.162{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014139914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.157{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014139910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.156{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014139902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.153{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014139893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.150{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014139880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.143{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 354300x800000000000000014139876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:03.381{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62364-false172.67.68.88-443https 734700x800000000000000014139875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.125{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014139840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.081{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014139833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.079{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 10341000x800000000000000014143482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.983{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.983{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.983{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.983{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.573{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.573{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.573{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.573{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.338{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.338{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.338{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.338{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.293{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.293{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.293{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.293{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.065{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.065{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.065{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.065{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.022{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.022{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.022{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014142150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.021{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.004{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.004{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.003{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:52.003{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014141904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:51.990{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014143841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:09:53.288{8B6011A9-BA01-6154-061A-02000000F001}6804C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014143839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.288{8B6011A9-BA01-6154-061A-02000000F001}6804C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014143803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.271{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exe 734700x800000000000000014143801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.267{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014143800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.266{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014143799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.266{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014143798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.266{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014143797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.266{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014143796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.266{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014143795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.266{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014143794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.265{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014143793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.265{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014143792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.265{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014143791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.265{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014143790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.264{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014143789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.264{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014143787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.264{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014143785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.263{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014143784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.263{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014143782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.263{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014143780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.262{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014143777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.262{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014143775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.262{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014143772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.261{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014143771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.261{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014143768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.260{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014143766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.260{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014143765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.260{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014143764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.259{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014143762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.259{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 10341000x800000000000000014143761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.259{8B6011A9-B9FB-6154-AE19-02000000F001}76284932C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA01-6154-061A-02000000F001}6804C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014143760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.259{8B6011A9-BA01-6154-061A-02000000F001}6804C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014143759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.259{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014143758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.258{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014143757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.258{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014143756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.258{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014143755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.257{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014143754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.257{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014143753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.256{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014143752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:53.256{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014143751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:09:53.256{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014143750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.256{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014143749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.255{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014143748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.255{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014143747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.255{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014143746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.254{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014143745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.254{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014143744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.254{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014143743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.253{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014143742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.253{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014143741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.251{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014143740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.250{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005C30169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000003230DC0) 154100x800000000000000014143739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.251{8B6011A9-BA01-6154-051A-02000000F001}2316C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 22542200x800000000000000014143738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:07.598{8B6011A9-B9FE-6154-E419-02000000F001}1592snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 10341000x800000000000000014143736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.039{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.039{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.038{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.038{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.006{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.006{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.006{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:53.006{8B6011A9-B9EA-6154-7918-02000000F001}44887240C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+11b6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c144|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000014143937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:06.748{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62367-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 10341000x800000000000000014143936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:54.059{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014143935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:54.059{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x800000000000000014144126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.398{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014144121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014144120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014144119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014144118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014144117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014144116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014144115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.366{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014144114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.365{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014144113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.365{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014144112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.365{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014144111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.365{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014144110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.365{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014144109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.365{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014144108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.364{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014144107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.364{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014144106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.364{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014144105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.363{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000014144104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-29 19:09:55.362{8B6011A9-B9FB-6154-AE19-02000000F001}7628\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014144103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.362{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000014144102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.356{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000014144101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.352{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014144100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.352{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014144099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.352{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014144098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014144097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014144096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014144095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014144094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014144093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014144092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014144091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014144090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.351{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014144089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.350{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000014144088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.348{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014144087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.348{8B6011A9-B9FB-6154-AE19-02000000F001}7628ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014144086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.346{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014144085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.346{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014144084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.346{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014144083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.346{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014144082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.346{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014144081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.346{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014144080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.345{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014144079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.339{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000014144078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.337{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014144077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.321{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000014144076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.316{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exe 734700x800000000000000014144075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.312{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014144074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.311{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014144073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.311{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014144072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.311{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014144071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.310{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014144070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.310{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014144069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.310{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014144068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.310{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014144067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.310{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014144066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.310{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014144065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.309{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014144064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.309{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014144063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.309{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014144062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.308{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014144061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.308{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014144060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.308{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014144059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.308{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014144058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.307{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014144057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.307{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014144056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.307{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014144055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.306{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014144054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.306{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014144053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.306{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014144052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.305{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014144051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.305{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014144050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.305{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014144049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.305{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014144048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.304{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014144047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.304{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014144046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.304{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014144045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.304{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014144044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.302{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014144043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.302{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014144042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.302{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014144041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.301{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014144040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.301{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014144039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.301{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014144038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.300{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014144037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.300{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014144036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.300{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014144035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.299{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014144034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.299{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014144033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.299{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014144032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.296{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014144031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.296{8B6011A9-B9FB-6154-AE19-02000000F001}76283548C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005E50169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000003230D60) 154100x800000000000000014144030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.296{8B6011A9-BA03-6154-071A-02000000F001}7964C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 10341000x800000000000000014144029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.080{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:55.080{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FB-6154-AE19-02000000F001}7628C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:56.100{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:57.121{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:58.987{8B6011A9-B9EA-6154-7918-02000000F001}44888048C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+9a471|C:\Users\Administrator\Downloads\procexp64.exe+8efac|C:\Windows\System32\USER32.dll+15737|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+1a721|C:\Windows\System32\USER32.dll+1b5f7|C:\Windows\System32\USER32.dll+1bd41|C:\Users\Administrator\Downloads\procexp64.exe+93dfb|C:\Windows\System32\USER32.dll+15737|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+1a721|C:\Windows\System32\USER32.dll+1b5f7|C:\Windows\System32\USER32.dll+1bd41|C:\Users\Administrator\Downloads\procexp64.exe+94114|C:\Users\Administrator\Downloads\procexp64.exe+c7a04|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000014144417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:58.974{8B6011A9-B9EA-6154-7918-02000000F001}44888048C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+93c3d|C:\Windows\System32\USER32.dll+15737|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+1a721|C:\Windows\System32\USER32.dll+1b5f7|C:\Windows\System32\USER32.dll+1bd41|C:\Users\Administrator\Downloads\procexp64.exe+94114|C:\Users\Administrator\Downloads\procexp64.exe+c7a04|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:58.974{8B6011A9-B9EA-6154-7918-02000000F001}44888048C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+9a471|C:\Users\Administrator\Downloads\procexp64.exe+93b9b|C:\Windows\System32\USER32.dll+15737|C:\Windows\System32\USER32.dll+14d26|C:\Windows\System32\USER32.dll+14c46|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11815|C:\Windows\System32\USER32.dll+1a721|C:\Windows\System32\USER32.dll+1b5f7|C:\Windows\System32\USER32.dll+1bd41|C:\Users\Administrator\Downloads\procexp64.exe+94114|C:\Users\Administrator\Downloads\procexp64.exe+c7a04|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:58.140{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:09:59.159{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:00.179{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:01.199{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:02.233{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:02.221{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014144876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:02.221{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:03.254{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:04.274{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:05.293{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:06.312{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:07.331{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:08.350{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:09.370{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:10.389{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:11.408{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:12.442{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:12.430{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014145995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:12.430{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:13.461{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:14.480{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:15.500{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:16.528{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:17.547{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:18.567{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:19.586{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:20.605{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014146915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:21.625{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:22.658{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:22.646{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:22.646{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x800000000000000014147531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.941{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exe 23542300x800000000000000014147530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.938{8B6011A9-BA1F-6154-0C1A-02000000F001}2540ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tdotjszundpkydpcqd.vbsMD5=2FCC53839A07381C433BEBE1F3BD1B7F,SHA256=71F0A43E515536C7786776AEAEDB1087E4675D4E7EDC83B36BC89327CF2571DDfalsetrue 734700x800000000000000014147529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.937{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014147528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.936{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014147527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.934{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014147526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.932{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014147525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.932{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014147524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.931{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014147523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.931{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014147522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.931{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014147521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.930{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014147520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.930{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014147519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.930{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014147518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.929{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014147517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.929{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014147516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.928{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014147515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.927{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014147514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.927{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014147513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.926{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014147512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.924{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014147511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.922{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014147510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.921{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014147509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.910{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014147508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.908{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014147507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.907{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014147506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.907{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014147505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.906{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014147504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.904{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014147503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.894{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014147502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.890{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014147501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.890{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014147500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.889{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.888{8B6011A9-51ED-6143-1600-00000000F001}13242576C:\Windows\System32\svchost.exe{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.888{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014147497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.887{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014147496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.887{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014147495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.885{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014147494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.884{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014147493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.883{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014147492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.883{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014147491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.882{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014147490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.882{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014147489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.882{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014147488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.882{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014147487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.881{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014147486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.881{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014147485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.881{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014147484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.880{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014147483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.880{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014147482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.880{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014147481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.880{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014147480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.879{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014147479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.879{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014147478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.879{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014147477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.878{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014147476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.878{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014147475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.877{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 534500x800000000000000014147474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.877{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe 734700x800000000000000014147473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.876{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014147472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.876{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014147471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.876{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014147470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.876{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014147469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.875{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014147468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.875{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014147467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.875{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014147466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.874{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x800000000000000014147465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.874{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000014147464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.874{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 734700x800000000000000014147463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.874{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014147462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.873{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014147461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.873{8B6011A9-B9FE-6154-E419-02000000F001}15929300C:\Windows\winhlp32.exe{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014147460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.873{8B6011A9-BA1F-6154-0C1A-02000000F001}2540C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\2\tdotjszundpkydpcqd.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 13241300x800000000000000014147459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:23.870{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014147458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:23.870{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014147457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:23.869{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014147456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:23.869{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014147455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.869{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014147454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.861{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList 734700x800000000000000014147453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 12241200x800000000000000014147452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\RegisteredApplications 12241200x800000000000000014147451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\SOFTWARE\RegisteredApplications 13241300x800000000000000014147450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:23.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFileBinary Data 12241200x800000000000000014147449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.860{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids 12241200x800000000000000014147448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.859{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x800000000000000014147447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.857{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014147446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.856{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014147445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:23.855{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014147444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.849{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014147443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.843{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014147442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.843{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014147441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.843{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 10341000x800000000000000014147440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.831{8B6011A9-51ED-6143-1600-00000000F001}13242576C:\Windows\System32\svchost.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.831{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014147438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.831{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014147437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.830{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 11241100x800000000000000014147436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.829{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tdotjszundpkydpcqd.vbs2021-09-29 19:10:23.829 12241200x800000000000000014147435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-09-29 19:10:23.828{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 10341000x800000000000000014147424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:23.678{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-B9FE-6154-E419-02000000F001}1592C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014148297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.888{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014148296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.888{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014148295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.887{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 10341000x800000000000000014148294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.783{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a9f81|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.783{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a9f6e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.782{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Users\Administrator\Downloads\procexp64.exe+a9e0f|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.779{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\winsta.dll+1178|C:\Windows\SYSTEM32\winsta.dll+10b5|C:\Users\Administrator\Downloads\procexp64.exe+a5184|C:\Users\Administrator\Downloads\procexp64.exe+a951e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.779{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a9381|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014148237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.769{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 13241300x800000000000000014148201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.746{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.746{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.746{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.745{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014148197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 12241200x800000000000000014148196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014148195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014148194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014148193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014148192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014148191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.744{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014148190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014148189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014148188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014148187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014148186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014148185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014148184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014148183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.743{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014148182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.742{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014148181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.741{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014148180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.741{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x800000000000000014148179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.727{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014148178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.727{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014148177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.717{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014148176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 12241200x800000000000000014148175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.716{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.715{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.713{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014148167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.713{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000014148166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.711{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014148165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.711{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014148164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.711{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014148162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014148161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014148160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014148159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014148158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014148157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014148156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014148155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014148154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.709{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014148153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.708{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 13241300x800000000000000014148152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.708{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014148151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.708{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014148150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.708{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000014148149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.707{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014148148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.707{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 12241200x800000000000000014148147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.707{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014148146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.707{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014148145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.701{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014148144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.701{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014148143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.700{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 10341000x800000000000000014148142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.698{8B6011A9-51EB-6143-0B00-00000000F001}6328352C:\Windows\system32\lsass.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.698{8B6011A9-51EB-6143-0B00-00000000F001}6328352C:\Windows\system32\lsass.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014148140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.694{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014148139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.693{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014148138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.665{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014148137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.665{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014148136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.665{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014148135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.665{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014148134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.663{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 734700x800000000000000014148133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.662{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014148132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.659{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014148131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.659{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014148130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.659{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014148129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.659{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014148128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.659{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014148127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.658{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014148126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.658{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014148125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.657{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014148124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.657{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014148123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.656{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014148122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.655{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014148121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.655{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014148120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.655{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014148119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.654{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014148118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.652{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014148117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.652{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014148116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.652{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014148115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.652{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014148114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.651{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014148113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.650{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014148112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.649{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014148111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.649{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014148110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.648{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014148109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.647{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014148108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.647{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014148107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.647{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014148106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.646{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.645{8B6011A9-51ED-6143-1600-00000000F001}13242576C:\Windows\System32\svchost.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.645{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014148103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.644{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014148102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.644{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014148101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.641{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014148100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.641{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014148099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.640{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014148098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.640{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014148097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.639{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014148096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.639{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014148095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.639{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014148094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.639{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014148093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.638{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014148092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.638{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014148091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.638{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014148090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.637{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014148089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.637{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014148088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.637{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014148087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.637{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 534500x800000000000000014148086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.636{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exe 734700x800000000000000014148085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.636{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014148084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.636{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014148083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.636{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014148082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.634{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014148081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.634{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014148080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.633{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014148079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.633{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014148078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.633{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014148077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.633{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014148076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.632{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014148075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.632{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014148074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.632{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014148073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.631{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014148072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.631{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014148071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.631{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014148070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.630{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014148069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.629{8B6011A9-BA24-6154-0D1A-02000000F001}74567528C:\Windows\System32\WScript.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014148068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.629{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014148067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.626{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014148066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.625{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014148065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.621{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014148052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.612{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014148051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.610{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014148050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.608{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014148049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.608{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014148048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.607{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014148047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.607{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014148046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.607{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000014148045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.607{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014148044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.360{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014148043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.360{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014148042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.359{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014148041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.254{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000014148040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.243{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.243{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.243{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.242{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.242{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014148035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.242{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014148034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.241{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014148033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014148032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014148031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014148030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014148029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014148028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014148027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014148026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014148025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014148024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014148023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014148022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014148021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014148020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.239{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014148019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.238{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014148018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.236{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014148017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.234{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014148016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.221{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014148015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.221{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014148014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.212{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000014148013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014148012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.208{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.206{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014148004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.205{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014148003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.203{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014148002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.203{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014148001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.203{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000014147999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.202{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000014147998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.202{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014147997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014147996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014147995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014147994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014147993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014147992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014147991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000014147990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.201{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 13241300x800000000000000014147989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.199{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014147988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.199{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014147987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.198{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014147986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.198{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014147985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.198{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014147984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.198{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014147983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.197{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014147982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.191{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014147981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.191{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014147980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.189{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014147979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.184{8B6011A9-51EB-6143-0B00-00000000F001}6328352C:\Windows\system32\lsass.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.184{8B6011A9-51EB-6143-0B00-00000000F001}6328352C:\Windows\system32\lsass.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014147977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.184{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014147976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.180{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014147975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.180{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014147974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.179{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014147973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.179{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014147972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.179{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014147971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.178{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014147970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.177{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014147969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.176{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014147968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.174{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014147967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.173{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014147966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.173{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014147965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.172{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014147964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.172{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014147963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.172{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014147962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.170{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014147961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.169{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014147960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.169{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014147959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.168{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000014147958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.168{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014147957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.167{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014147956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.167{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014147955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.167{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014147954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.166{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014147953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.164{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014147952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.162{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014147951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.161{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014147950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.161{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014147949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.160{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014147948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.160{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 734700x800000000000000014147947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.159{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014147946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.158{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014147944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.156{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014147943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.145{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014147942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.144{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014147941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:28.144{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014147940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.144{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.143{8B6011A9-51ED-6143-1600-00000000F001}13242576C:\Windows\System32\svchost.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014147938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.142{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014147937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.142{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014147936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.142{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014147935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.139{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000014147934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.139{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014147933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.138{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014147932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.138{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014147931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.138{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014147930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.137{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014147929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.137{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014147928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.137{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014147927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.137{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014147926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.137{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014147925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.136{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014147924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.136{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014147923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.125{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014147922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.124{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014147921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.124{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014147920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.124{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014147919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.123{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014147918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.122{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014147917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.117{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 13241300x800000000000000014147907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:28.106{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b565-0xaa1ce199) 734700x800000000000000014147896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.102{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 10341000x800000000000000014147895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.101{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014147894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.100{8B6011A9-EF7D-6151-C8C2-01000000F001}86488804C:\Windows\explorer.exe{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014147893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:28.100{8B6011A9-BA24-6154-0D1A-02000000F001}7456C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 10341000x800000000000000014148501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.807{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.807{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.806{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014148409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.242{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014148405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:29.238{8B6011A9-BA25-6154-0F1A-02000000F001}1148C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014148403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.238{8B6011A9-BA25-6154-0F1A-02000000F001}1148C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014148354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.214{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 10341000x800000000000000014148352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.213{8B6011A9-BA24-6154-0E1A-02000000F001}27802248C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA25-6154-0F1A-02000000F001}1148C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014148351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.213{8B6011A9-BA25-6154-0F1A-02000000F001}1148C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014148350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.209{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014148349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:29.209{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000014148348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:29.199{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014148347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:29.199{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014148346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.199{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x800000000000000014148345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.197{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014148318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.181{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014148317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.180{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014148316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.178{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014148315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.178{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 12241200x800000000000000014148314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:29.177{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014148313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:29.177{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014148312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.177{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014148311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:29.176{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 10341000x800000000000000014148595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:30.829{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:30.829{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:30.829{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000014148504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:44.016{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62390-false172.67.68.88-443https 22542200x800000000000000014148503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:45.092{8B6011A9-BA24-6154-0E1A-02000000F001}2780paste.ee0::ffff:172.67.68.88;::ffff:104.26.5.223;::ffff:104.26.4.223;C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014148822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.855{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a9f81|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.855{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a9f6e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.855{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Users\Administrator\Downloads\procexp64.exe+a9e0f|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.850{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\winsta.dll+1178|C:\Windows\SYSTEM32\winsta.dll+10b5|C:\Users\Administrator\Downloads\procexp64.exe+a5184|C:\Users\Administrator\Downloads\procexp64.exe+a951e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.850{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a9381|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.850{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014148729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.499{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014148728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.499{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 13241300x800000000000000014148724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:31.266{8B6011A9-BA27-6154-111A-02000000F001}8284C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014148722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.266{8B6011A9-BA27-6154-111A-02000000F001}8284C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014148716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.259{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014148715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.257{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014148713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.257{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 12241200x800000000000000014148710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.256{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.256{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.256{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.256{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014148705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.256{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014148703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.255{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 12241200x800000000000000014148702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.255{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.255{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014148700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.255{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014148699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.255{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014148698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.254{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014148697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.254{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014148695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.254{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014148692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.253{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014148687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.252{8B6011A9-51EB-6143-0B00-00000000F001}6328352C:\Windows\system32\lsass.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014148686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.252{8B6011A9-51EB-6143-0B00-00000000F001}6328352C:\Windows\system32\lsass.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014148682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:31.251{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014148681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.251{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014148680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:31.251{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014148679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.251{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014148677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.251{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014148664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.247{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014148661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.247{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014148660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.247{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014148659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014148658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014148657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014148656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014148655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014148654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014148653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.245{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014148651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.245{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014148650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.245{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014148649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.245{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014148648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.244{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014148646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.244{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014148644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.244{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014148643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.243{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014148641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.243{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014148638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.243{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014148636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.242{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014148633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.242{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014148631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.241{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014148630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.241{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014148628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.241{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014148626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.241{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014148624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.240{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014148623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.240{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014148622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.240{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 10341000x800000000000000014148620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.239{8B6011A9-BA24-6154-0E1A-02000000F001}278010156C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA27-6154-111A-02000000F001}8284C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000014148619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.239{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 154100x800000000000000014148618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.239{8B6011A9-BA27-6154-111A-02000000F001}8284C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014148617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.239{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014148616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.239{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014148615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.238{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014148614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.237{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014148613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.237{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014148612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.236{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 734700x800000000000000014148611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.236{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000014148610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:31.236{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014148609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.236{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014148608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.236{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014148607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.236{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014148606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.235{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014148605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.235{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014148604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.234{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014148603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.234{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014148602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.234{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014148601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.231{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014148600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.231{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005C40169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000008104580) 154100x800000000000000014148599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:31.231{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 10341000x800000000000000014149079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.896{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.896{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.896{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.895{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.881{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.880{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.880{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:32.880{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.917{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\procexp64.exe+51b6c|C:\Users\Administrator\Downloads\procexp64.exe+538b7|C:\Users\Administrator\Downloads\procexp64.exe+a89ec|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.917{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+79325|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+793d7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b639|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1b529|C:\Users\Administrator\Downloads\procexp64.exe+747e7|C:\Users\Administrator\Downloads\procexp64.exe+a89dd|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.916{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.916{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000014149187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:46.788{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62392-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 13241300x800000000000000014149183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:10:33.303{8B6011A9-BA29-6154-131A-02000000F001}7208C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014149181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.303{8B6011A9-BA29-6154-131A-02000000F001}7208C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 534500x800000000000000014149164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.290{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exe 734700x800000000000000014149147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.286{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014149143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.285{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014149142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.285{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014149141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.285{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014149140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.284{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014149139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.284{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014149138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.284{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014149137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.284{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014149136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.283{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014149134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.283{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014149133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.283{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014149132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.283{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014149131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.282{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014149129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.282{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014149127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.282{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014149126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.281{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014149124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.281{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014149122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.281{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014149119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.280{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014149117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.280{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014149114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.279{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014149113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.279{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014149111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.279{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014149108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.278{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014149107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.278{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014149106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.278{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014149105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.277{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 10341000x800000000000000014149103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.277{8B6011A9-BA24-6154-0E1A-02000000F001}27807376C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA29-6154-131A-02000000F001}7208C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 734700x800000000000000014149102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.277{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 154100x800000000000000014149101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.277{8B6011A9-BA29-6154-131A-02000000F001}7208C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014149100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.277{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014149099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.277{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014149098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.276{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014149097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.275{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014149096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.275{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014149095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.274{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x800000000000000014149094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:33.274{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014149093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:10:33.274{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014149092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.274{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014149091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.274{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014149090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.274{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014149089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.273{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014149088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.273{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014149087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.273{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014149086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.272{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014149085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.272{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014149084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.272{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014149083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.269{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014149082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.269{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(00000000070F0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000081045B0) 154100x800000000000000014149081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:33.269{8B6011A9-BA29-6154-121A-02000000F001}5176C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 22542200x800000000000000014149080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:47.632{8B6011A9-BA27-6154-101A-02000000F001}9976snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 10341000x800000000000000014149371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:34.937{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:34.937{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.957{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x800000000000000014149466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.375{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe 10341000x800000000000000014149463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.355{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014149462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.355{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x800000000000000014149461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014149460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+43fa32(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64)|C:\Windows\System32\SHELL32.dll+4ff579(wow64) 10341000x800000000000000014149459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014149458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+50036e(wow64) 10341000x800000000000000014149457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64) 10341000x800000000000000014149456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b688f(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014149455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.354{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b709(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014149454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.353{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+15b68a(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014149453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.353{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64) 10341000x800000000000000014149452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.353{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+15b675(wow64)|C:\Windows\System32\SHELL32.dll+15b21c(wow64)|C:\Windows\System32\SHELL32.dll+153ccd(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64)|C:\Windows\System32\windows.storage.dll+1b66f9(wow64)|C:\Windows\System32\windows.storage.dll+1b6563(wow64) 10341000x800000000000000014149451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.353{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014149450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.353{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64)|C:\Windows\System32\windows.storage.dll+10a9ee(wow64)|C:\Windows\System32\windows.storage.dll+10a563(wow64)|C:\Windows\System32\windows.storage.dll+1b6dfd(wow64) 10341000x800000000000000014149449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.353{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64) 10341000x800000000000000014149448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.352{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+e3516(wow64)|C:\Windows\System32\windows.storage.dll+a5bed(wow64)|C:\Windows\System32\windows.storage.dll+26e445(wow64)|C:\Windows\System32\SHELL32.dll+152f5d(wow64)|C:\Windows\System32\SHELL32.dll+1539f6(wow64) 734700x800000000000000014149447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.352{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6BE1DAE295EADF4A058F83C164A27089,SHA256=E224C9F92047171D4A9080B323D31EF1303902A2700C1D6AD2B4997BB8FE4B1CtrueMicrosoft WindowsValid 18141800x800000000000000014149446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-09-29 19:10:35.351{8B6011A9-BA24-6154-0E1A-02000000F001}2780\srvsvcC:\Windows\SYSWOW64\WSCRIPT.EXE 734700x800000000000000014149445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.351{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=5C24C4B638BB4A833C62B8D3EC6E5B87,SHA256=2D3AB065A2BE9EC5AAD54161459CFF331F1C2583C4535AFBE05C1C092158FFA6trueMicrosoft WindowsValid 734700x800000000000000014149444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.350{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=19D8119776943ED31455C54472DBFAFC,SHA256=7D139A7F2A401D71CD40EA7D165888238CEA099380337DDFFFBE5654EC18B3A6trueMicrosoft WindowsValid 10341000x800000000000000014149443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014149442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64)|C:\Windows\System32\SHELL32.dll+43df30(wow64) 10341000x800000000000000014149441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014149440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b743f(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 10341000x800000000000000014149439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014149438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014149437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 10341000x800000000000000014149436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.347{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+1b5091(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64) 10341000x800000000000000014149435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.346{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014149434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.346{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64)|C:\Windows\System32\windows.storage.dll+1b4844(wow64)|C:\Windows\System32\windows.storage.dll+1b8110(wow64)|C:\Windows\System32\windows.storage.dll+1b73db(wow64) 10341000x800000000000000014149433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.346{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64) 10341000x800000000000000014149432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.346{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db905(wow64)|C:\Windows\System32\windows.storage.dll+1db766(wow64)|C:\Windows\System32\windows.storage.dll+4a00fc(wow64)|C:\Windows\System32\windows.storage.dll+2e365a(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+1b32d2(wow64)|C:\Windows\System32\windows.storage.dll+1b2c30(wow64) 734700x800000000000000014149431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.345{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 11241100x800000000000000014149430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.345{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbs2021-09-29 18:56:37.362 23542300x800000000000000014149429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.345{8B6011A9-BA24-6154-0E1A-02000000F001}2780ATTACKRANGE\AdministratorC:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remcos.vbsMD5=FCE037AAD780C08C85DB2F24BFF80CFA,SHA256=CB77B93150CB0F7FE65CE8A7E2A5781E727419451355A7736DB84109FA215A89falsetrue 10341000x800000000000000014149428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.343{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dbb09(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014149427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.343{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1dba3c(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014149426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.343{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64) 10341000x800000000000000014149425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.343{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1dba27(wow64)|C:\Windows\System32\windows.storage.dll+1db585(wow64)|C:\Windows\System32\windows.storage.dll+1db617(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014149424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.343{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1f1ee0(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64)|C:\Windows\System32\SHELL32.dll+43f955(wow64)|C:\Windows\System32\SHELL32.dll+43e904(wow64) 10341000x800000000000000014149423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.342{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64) 10341000x800000000000000014149422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.342{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1f1ed2(wow64)|C:\Windows\System32\windows.storage.dll+1db878(wow64)|C:\Windows\System32\windows.storage.dll+1b7503(wow64)|C:\Windows\System32\windows.storage.dll+1b74b3(wow64)|C:\Windows\System32\windows.storage.dll+1b7422(wow64)|C:\Windows\System32\windows.storage.dll+1b6fae(wow64)|C:\Windows\System32\windows.storage.dll+1b6556(wow64)|C:\Windows\System32\SHELL32.dll+4411c1(wow64) 734700x800000000000000014149421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.339{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Program Files\7-Zip\7-zip32.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=B00572D1CB3A88B71EBA6B7E603E9E50,SHA256=68FD28A5A816F6E81535609C11ABC9DEDF320AFC95254C341BAC38F2541DF344false-Unavailable 734700x800000000000000014149420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.338{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014149419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.337{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=0A28E49EC858DA16AC39C7C3F2127518,SHA256=47BF2D11AF3D945D59CAE90AAAF4328C49DED2B27FBBBFEDF6BE2DF30FF38961trueMicrosoft WindowsValid 534500x800000000000000014149418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.329{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exe 734700x800000000000000014149417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.325{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014149416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.325{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014149415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.325{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014149414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.324{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014149413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.324{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014149412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.324{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014149411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.324{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014149410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.324{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014149409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.323{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014149408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.323{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014149407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.323{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014149406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.323{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014149405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.322{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014149404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.322{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014149403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.322{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014149402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.322{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014149401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.321{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014149400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.321{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014149399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.321{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014149398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.320{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014149397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.320{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014149396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.320{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014149395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.319{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014149394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.319{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014149393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.319{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014149392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.319{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014149391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.318{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014149390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.318{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014149389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.318{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014149388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.317{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014149387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.317{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014149386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.316{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014149385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.316{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014149384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.315{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014149383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.315{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014149382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.315{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014149381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.314{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014149380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.314{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014149379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.314{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014149378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.314{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014149377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.313{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014149376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.313{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014149375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.313{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 10341000x800000000000000014149374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.310{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014149373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.310{8B6011A9-BA24-6154-0E1A-02000000F001}27807032C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000007250169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000081045C8) 154100x800000000000000014149372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:35.310{8B6011A9-BA2B-6154-141A-02000000F001}3392C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E{8B6011A9-BA24-6154-0E1A-02000000F001}2780C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 10341000x800000000000000014149643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:36.976{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:38.010{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:39.029{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:40.053{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014149997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:41.074{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:42.093{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:43.126{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:43.114{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:43.114{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:44.144{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:45.165{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:46.191{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:47.208{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014150956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:48.226{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:49.245{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:50.263{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:51.282{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:52.301{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:53.336{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:53.325{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:53.325{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:54.356{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:55.375{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:56.394{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014151915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:57.413{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:58.433{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:10:59.526{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:00.545{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:01.564{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:02.584{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:03.623{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:03.608{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014152885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:03.608{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:04.659{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:05.679{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:06.700{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:07.722{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:08.743{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:09.764{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:10.784{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:11.804{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014153836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:12.823{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:13.863{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:13.845{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:13.845{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:14.882{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:15.901{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:16.920{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:17.942{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:18.964{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:19.983{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:21.002{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:22.021{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014154963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:23.040{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:24.075{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:24.061{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:24.061{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:25.108{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:26.125{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:27.145{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:28.164{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:29.186{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014155935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:30.205{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:31.224{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:32.246{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:33.270{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:34.308{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:34.296{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:34.296{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:35.326{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:36.345{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:37.363{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:38.382{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:39.400{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014156993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:40.422{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:41.441{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:42.462{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:43.483{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:44.527{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:44.511{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:44.511{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:45.544{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:46.563{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014157954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:47.581{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:48.599{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:49.617{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:50.636{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:51.653{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:52.672{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:53.690{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:54.724{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:54.712{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:54.711{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:55.744{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014158913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:56.766{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:57.786{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:58.804{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:11:59.826{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:00.845{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:01.863{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:02.882{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:03.901{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:04.936{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:04.925{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:04.925{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:05.954{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014159966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:06.973{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:07.992{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:09.016{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:10.034{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:11.054{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:12.072{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:13.094{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:14.113{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:15.153{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:15.136{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:15.136{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014160957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:16.172{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:17.191{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:18.210{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:19.231{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:20.252{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:21.272{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:22.296{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:23.316{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014161788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:24.335{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:25.374{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:25.362{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:25.362{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:26.391{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:27.410{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:28.429{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:29.448{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:30.467{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:31.486{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:32.504{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:33.523{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014162962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:34.543{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:35.582{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:35.569{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:35.569{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:36.601{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:37.621{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:38.639{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:39.658{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:40.678{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:41.696{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:42.717{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014163920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:43.736{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:44.754{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:45.787{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:45.775{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:45.775{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:46.805{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:47.824{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:48.842{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:49.862{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:50.879{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014164964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:51.897{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:52.917{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:53.935{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:54.954{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:55.992{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:55.980{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:55.980{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:57.010{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:58.028{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:12:59.047{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:00.066{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014165927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:01.084{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:02.107{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:03.127{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:04.145{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:05.164{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:06.198{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:06.187{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:06.187{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:07.217{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:08.237{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:09.257{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:10.275{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014166986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:11.299{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:12.318{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000014166990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:24.749{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62473-false46.43.90.184ADSL-46.43.90.184.mada.ps7676- 10341000x800000000000000014167164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:13.338{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:14.357{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:15.376{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:16.409{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:16.397{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:16.397{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\advapi32.dll+12060|C:\Windows\System32\advapi32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Users\Administrator\Downloads\procexp64.exe+7915d|C:\Users\Administrator\Downloads\procexp64.exe+a926e|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:17.428{8B6011A9-B9EA-6154-7918-02000000F001}44889824C:\Users\Administrator\Downloads\procexp64.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\procexp64.exe+a822a|C:\Users\Administrator\Downloads\procexp64.exe+836d5|C:\Users\Administrator\Downloads\procexp64.exe+c799c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x800000000000000014167909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.315{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exe 23542300x800000000000000014167908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.313{8B6011A9-BACE-6154-281A-02000000F001}8464ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tgmby.vbsMD5=2FCC53839A07381C433BEBE1F3BD1B7F,SHA256=71F0A43E515536C7786776AEAEDB1087E4675D4E7EDC83B36BC89327CF2571DDfalsetrue 734700x800000000000000014167907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.312{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014167906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.311{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014167905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.310{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 734700x800000000000000014167904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.308{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014167903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.308{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014167902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.307{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014167901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.307{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014167900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.307{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014167899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.307{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014167898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.306{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014167897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.306{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014167896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.305{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014167895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.305{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 12241200x800000000000000014167894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.304{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014167893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.303{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014167892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.303{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014167891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.302{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014167890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.300{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014167889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.300{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014167888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.300{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014167887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.300{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014167886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.299{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014167885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.298{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014167884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.297{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014167883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.297{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014167882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.295{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014167871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.289{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014167861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.295{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014167856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.294{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014167855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.294{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014167854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.293{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.292{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.292{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014167851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.292{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014167849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.291{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014167845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.288{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014167823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.287{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014167822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.287{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014167821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.287{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014167820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.287{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014167819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.286{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014167818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.286{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014167817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.286{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014167816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.286{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014167815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.285{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014167814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.285{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014167813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.285{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014167812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.285{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014167811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.284{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014167810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.284{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014167809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.284{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014167808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.284{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014167807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.282{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014167806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.282{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014167805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.281{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 534500x800000000000000014167804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.281{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe 734700x800000000000000014167803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.281{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014167802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.281{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014167801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.280{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014167795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.280{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014167791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.264{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000014167780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.280{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014167774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.279{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014167773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.279{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 12241200x800000000000000014167772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.279{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000014167771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.279{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 734700x800000000000000014167770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.279{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000014167769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.278{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 10341000x800000000000000014167768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.278{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014167767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.277{8B6011A9-BA27-6154-101A-02000000F001}99766884C:\Windows\winhlp32.exe{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014167766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.278{8B6011A9-BACE-6154-281A-02000000F001}8464C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\2\tgmby.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 13241300x800000000000000014167765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:13:18.274{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014167764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:13:18.274{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014167763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:13:18.274{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014167762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:13:18.274{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014167761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.273{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000014167759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.248{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 12241200x800000000000000014167740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.265{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList 12241200x800000000000000014167734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.263{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\RegisteredApplications 12241200x800000000000000014167733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.263{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\SOFTWARE\RegisteredApplications 13241300x800000000000000014167732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:13:18.263{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFileBinary Data 12241200x800000000000000014167731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.263{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids 12241200x800000000000000014167730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.263{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x800000000000000014167728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.261{8B6011A9-51ED-6143-0C00-00000000F001}8528280C:\Windows\system32\svchost.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014167727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.259{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x800000000000000014167726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:13:18.258{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014167723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.247{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014167699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.252{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014167698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.250{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014167697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.249{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000014167696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.249{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 10341000x800000000000000014167695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.248{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014167694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.248{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000014167689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:13:18.246{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tgmby.vbs2021-09-29 19:13:18.245 12241200x800000000000000014167688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-09-29 19:13:18.245{8B6011A9-BA27-6154-101A-02000000F001}9976C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014209038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.858{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 734700x800000000000000014209011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.847{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x800000000000000014208986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.844{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000014208961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.861{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000014208958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.859{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x800000000000000014208957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.843{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValid 12241200x800000000000000014208926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:30.853{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014208924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.853{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000014208923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.852{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000014208921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.851{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000014208920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.851{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000014208916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.848{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000014208915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.848{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000014208914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.847{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000014208897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.835{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000014208896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.834{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000014208895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.831{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000014208894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.831{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000014208890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:30.825{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014208888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:30.825{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x800000000000000014208887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.820{8B6011A9-51ED-6143-0C00-00000000F001}8528212C:\Windows\system32\svchost.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014208885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.814{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014208884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.813{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014208883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.813{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000014208882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.812{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000014208877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.785{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2trueMicrosoft WindowsValid 734700x800000000000000014208875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.797{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 13241300x800000000000000014208856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:30.795{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WScript.exeQWORD (0x01d7b566-0xed949d6e) 734700x800000000000000014208848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.794{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000014208847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.793{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000014208846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.793{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000014208845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.793{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000014208844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.792{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000014208843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.792{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000014208842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.792{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000014208840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.791{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000014208839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.791{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000014208837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.791{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000014208836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.790{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014208834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.790{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000014208833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.789{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000014208831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.789{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000014208830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.788{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000014208827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.787{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000014208824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.787{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014208820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.786{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000014208819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.783{8B6011A9-5DE3-6143-C106-00000000F001}4363920C:\Windows\system32\csrss.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014208818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.783{8B6011A9-EF7D-6151-C8C2-01000000F001}86487512C:\Windows\explorer.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014208817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:30.781{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=BEB231ACF04E40B506403920D4DD795A,SHA256=2548884526E8FBC5781F5B3B2972E9B20CC16DD86BDE93D2E888023F6919F5A2{8B6011A9-EF7D-6151-C8C2-01000000F001}8648C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 734700x800000000000000014209407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.993{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014209405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.973{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exeMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FACtrueMicrosoft WindowsValid 534500x800000000000000014209381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.981{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exe 734700x800000000000000014209377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.973{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000014209376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.972{8B6011A9-5DE3-6143-C106-00000000F001}4364940C:\Windows\system32\csrss.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014209375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.971{8B6011A9-BC42-6154-611A-02000000F001}77126668C:\Windows\System32\WScript.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000014209374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.970{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=6FA091DD757D5A64DC7B64F103198C10,SHA256=F451827D9D32C792C821EF0B89FEBF002D29004605B20CAACE53467EC01D2FAC{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014209373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.962{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000014209372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.959{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014209371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.949{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000014209286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.826{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000014209285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.815{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000014209284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.803{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=A15C7B10E3ADC397E51DA4A8903DEDA5,SHA256=B7D86B8C9415D06FC2ECD76BAE31E82682C4DCFC196DC52575ED4F56429BF7DCtrueMicrosoft WindowsValid 734700x800000000000000014209274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.812{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000014209259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.809{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000014209257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.807{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000014209256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.807{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000014209255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.807{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000014209252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.552{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 734700x800000000000000014209225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.551{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000014209200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.550{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 734700x800000000000000014209173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.419{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 13241300x800000000000000014209172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.405{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014209171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.405{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014209170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.404{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014209169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.404{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014209168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.404{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014209167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.404{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014209166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.402{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000014209165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.401{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014209164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014209163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014209162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014209161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014209160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014209159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014209158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014209157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.400{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014209156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.399{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014209155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.399{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014209154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.399{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014209153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.398{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014209152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.390{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x800000000000000014209151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.367{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000014209150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.367{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000014209149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.366{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000014209146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.350{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014209145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.350{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x800000000000000014209144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.335{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000014209143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.154{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014209142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.154{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014209141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.154{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000014209140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.154{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014209139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.153{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014209138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.153{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014209137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.153{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014209136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.153{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014209135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.150{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000014209134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.149{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000014209133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.142{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014209132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.141{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014209131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.140{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014209129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.137{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014209128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.136{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014209127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.136{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014209126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.136{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014209125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.136{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014209124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.136{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014209123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.136{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014209122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.135{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014209121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.135{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014209120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.134{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014209119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:31.134{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000014209118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.134{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000014209117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.134{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 12241200x800000000000000014209116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.133{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014209115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:31.133{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014209114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.132{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000014209113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.107{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000014209112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.131{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000014209110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.130{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000014209103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.130{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000014209086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.127{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000014209084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.122{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014209083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.122{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014209082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.122{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000014209081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.113{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x800000000000000014209080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.111{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000014209079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.110{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000014209078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.110{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000014209077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.110{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000014209076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.109{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000014209073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.091{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=3F155F13E3FDA8FFD111D5FD453CCBA2,SHA256=797768F0B0965B1E19280AE4114FE0E2EEF0784D7A3270C38F113E1C43519A00trueMicrosoft WindowsValid 734700x800000000000000014209046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.084{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000014209045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.084{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000014209044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.083{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000014209043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.083{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000014209042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.080{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000014209041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.026{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000014209040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.026{8B6011A9-BC42-6154-611A-02000000F001}7712C:\Windows\System32\wscript.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000014211353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.956{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5trueMicrosoft WindowsValid 734700x800000000000000014211326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.951{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BCtrueMicrosoft WindowsValid 734700x800000000000000014211280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.949{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366trueMicrosoft WindowsValid 734700x800000000000000014211241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.947{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965CtrueMicrosoft WindowsValid 734700x800000000000000014211214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.944{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730ECtrueMicrosoft WindowsValid 12241200x800000000000000014211189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.948{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000014211188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.948{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000014211185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.652{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=07469983629586721193B10324583512,SHA256=921BA30B49DA4B71B60DA3F51CA589A82330718AD8A48B19351067029E4CF5A9trueMicrosoft WindowsValid 734700x800000000000000014211158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.651{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x800000000000000014211133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.650{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=17FDF3B450ACFFCA44AD1702F9098A1D,SHA256=87506D26958F2785E71EEBCA88775C3B9E50ACDA5B1A059DBD5F9D43615A3008trueMicrosoft WindowsValid 734700x800000000000000014211106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.522{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 734700x800000000000000014211081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.506{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C33695B9200980F960892E56C521DE3D,SHA256=9E9299C57AC68B7AF1AFF73ABAB0010D44F94C11B3C003BAA19B2AA5D4D5E869trueMicrosoft WindowsValid 734700x800000000000000014211054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.500{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000014211027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.498{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000014211002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.496{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000014210977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.495{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 734700x800000000000000014210950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.478{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000014210923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.465{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000014210896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.461{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014210869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.457{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014210844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014210819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.444{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 734700x800000000000000014210794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.442{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x800000000000000014210769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.439{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000014210742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.438{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014210717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.436{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000014210690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.434{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014210665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.413{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000014210638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.412{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014210613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.395{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014210588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.395{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014210563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.394{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014210536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.380{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=56D0E2D27BCF4A5A87F5725CAD21D8F1,SHA256=C7BF42431CDE7E167C20B6F6D82962A863792D4D65EB593C829E94E833613AD5trueMicrosoft WindowsValid 13241300x800000000000000014210511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.509{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014210510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.508{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014210509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.508{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x800000000000000014210508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.508{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x800000000000000014210505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.366{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll5.812.10240.16384Windows ® Script Component RuntimeMicrosoft ® Windows ® Script Component RuntimeMicrosoft Corporationscrobj.dllMD5=17C498164D39CA58C95D78F98DCCC357,SHA256=8BE2D0D442A0575EC67D47E7795A8C2A21B7E34C8714CFFCD05A40AB8D93480AtrueMicrosoft WindowsValid 12241200x800000000000000014210495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.503{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000014210491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.503{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000014210486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014210484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000014210482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014210479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000014210476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000014210475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014210473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.502{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000014210472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.501{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000014210471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.501{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014210470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.501{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000014210469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.501{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014210465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.360{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014210440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.359{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014210415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.355{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 12241200x800000000000000014210391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.479{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000014210389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.352{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014210364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.350{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 12241200x800000000000000014210340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.462{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.461{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.461{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.461{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.461{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.460{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.460{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014210333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.457{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 13241300x800000000000000014210332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.450{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000014210331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.449{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000014210330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.449{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x800000000000000014210328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000014210327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014210326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014210325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000014210324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000014210323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000014210322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.445{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000014210321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.444{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014210320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.444{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000014210319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.442{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000014210318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:32.442{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000014210317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.440{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x800000000000000014210316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.440{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000014210314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.306{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 10341000x800000000000000014210290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.426{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014210289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.426{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014210287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.304{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000014210263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.415{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 734700x800000000000000014210259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.146{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=C77AD2A9BCD8875EF19844AF283EB3FF,SHA256=4650022CFD056E3D5AFEF7B84F38A78130FAD6BBFF7B800F4D2157257AA206BAtrueMicrosoft WindowsValid 734700x800000000000000014210232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.144{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=ED074CA4F56D4CE14CAA1EB72952CC69,SHA256=F183598A950868097F6AD2E86596170B92F4CBEC87DD8E207121E0F57F92F54AtrueMicrosoft WindowsValid 734700x800000000000000014210207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.141{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=51E711B57A5AA33B0592C837DADA5B71,SHA256=9552C2F37E38BE7CC618DD5881F6E3715491F027B738D161BC5F875E989B8112trueMicrosoft WindowsValid 734700x800000000000000014210180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.137{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014210155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.136{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014210130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.134{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014210105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.131{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000014210080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.130{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000014210055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.130{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000014210030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.128{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=72F4CD1246EA663FC42F70CFBCA19ED7,SHA256=E28EC7CBB9D718448B5FED5D06E35D179D4D45519274A56A92A955BD8CA7039DtrueMicrosoft WindowsValid 734700x800000000000000014210003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.127{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=0566889B8542B507F369C071744CD58F,SHA256=4B9BCA4F7B0EEF3A235D3EDDAE700497D54BD3FC42565AB89A3F65930EB94FFAtrueMicrosoft WindowsValid 734700x800000000000000014209976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.114{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014209951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.099{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014209924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.082{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014209899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.075{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000014209874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.071{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 12241200x800000000000000014209850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.138{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000014209848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.066{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014209824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.130{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=77D1E6B39B0A1A221E23209A8F10AE8C,SHA256=474B6C0D7F8D25F225DB55533706ED090DB77BCECB5926EBE5ED248B43748A45trueMicrosoft WindowsValid 734700x800000000000000014209823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.122{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x800000000000000014209822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.121{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000014209820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.055{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014209819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.120{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000014209818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.119{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=574CE73F5F8AEE6C2219547BC8DC88A2,SHA256=68B28AF187AFD6453173D1DC09C9C11CF10FA886FD5877B83170CAA3B0706784trueMicrosoft WindowsValid 12241200x800000000000000014209808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.118{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows Script Host\Settings 12241200x800000000000000014209806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:32.118{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings 10341000x800000000000000014209792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.117{8B6011A9-51ED-6143-0C00-00000000F001}8529244C:\Windows\system32\svchost.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014209791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.115{8B6011A9-51ED-6143-1600-00000000F001}13241472C:\Windows\System32\svchost.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014209790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.115{8B6011A9-51ED-6143-1600-00000000F001}13241356C:\Windows\System32\svchost.exe{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000014209789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.115{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000014209787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.053{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014209763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.109{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014209761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.052{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014209760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.107{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000014209757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.106{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000014209734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.040{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014209709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.037{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014209684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.037{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014209659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.035{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014209634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.028{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014209609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.026{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014209584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.020{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014209559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.015{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014209534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.000{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014209509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.999{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014209508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.001{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014209483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.993{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014209458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.989{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014209433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.986{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014209432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.999{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014209431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:31.999{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 354300x800000000000000014211766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:47.773{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local62528-false104.26.5.223-443https 734700x800000000000000014211753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.160{8B6011A9-BC45-6154-641A-02000000F001}4740C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014211752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.165{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 13241300x800000000000000014211641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:33.161{8B6011A9-BC45-6154-641A-02000000F001}4740C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 734700x800000000000000014211470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.057{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000014211443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.043{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 10341000x800000000000000014211433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.051{8B6011A9-BC43-6154-631A-02000000F001}9204520C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC45-6154-641A-02000000F001}4740C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014211431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.051{8B6011A9-BC45-6154-641A-02000000F001}4740C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 12241200x800000000000000014211413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:33.040{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x800000000000000014211412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.017{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 12241200x800000000000000014211387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:33.018{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014211385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:33.018{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014211383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:32.964{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4BtrueMicrosoft WindowsValid 734700x800000000000000014211358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:33.002{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 734700x800000000000000014212109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.471{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000014212108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.470{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000014212107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.219{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000014212080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.218{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 734700x800000000000000014212053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.214{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000014212026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.209{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000014212002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.232{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000014212000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.202{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x800000000000000014211999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.230{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000014211998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.229{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 12241200x800000000000000014211973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.220{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014211972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.220{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014211971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.219{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014211970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.219{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014211968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.217{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000014211965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.217{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x800000000000000014211964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:35.216{8B6011A9-BC47-6154-661A-02000000F001}9344C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll 12241200x800000000000000014211962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.216{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000014211961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.216{8B6011A9-BC47-6154-661A-02000000F001}9344C:\Windows\SysWOW64\regsvr32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll1.00DynamicWrapperX objectDynamicWrapperX-dynwrapx.dllMD5=E0B8DFD17B8E7DE760B273D18E58B142,SHA256=4EF3A6703ABC6B2B8E2CAC3031C1E5B86FE8B377FDE92737349EE52BD2604379false-Unavailable 734700x800000000000000014211960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.216{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000014211959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.215{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000014211957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.215{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000014211953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.213{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 10341000x800000000000000014211952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.211{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014211951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.210{8B6011A9-51EB-6143-0B00-00000000F001}6329776C:\Windows\system32\lsass.exe{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000014211950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:35.209{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\licence9584519EA5622881142A29E8C8437D99 12241200x800000000000000014211949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.209{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 13241300x800000000000000014211948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-09-29 19:19:35.209{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO\exepathBinary Data 12241200x800000000000000014211947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.209{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Remasascos-LVXDHO 734700x800000000000000014211943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.190{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x800000000000000014211942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.190{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 22542200x800000000000000014211913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:48.847{8B6011A9-BC43-6154-631A-02000000F001}920paste.ee0::ffff:104.26.5.223;::ffff:172.67.68.88;::ffff:104.26.4.223;C:\Windows\SysWOW64\wscript.exe 734700x800000000000000014211911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.203{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000014211897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.188{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x800000000000000014211856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.188{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000014211854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.187{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000014211853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.187{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000014211851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.187{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000014211848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.186{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000014211846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.186{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000014211844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.185{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000014211842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.185{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000014211840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.185{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000014211839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.184{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000014211837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.184{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000014211834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.183{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000014211833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.183{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000014211832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.182{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000014211830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.182{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 10341000x800000000000000014211829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.182{8B6011A9-BC43-6154-631A-02000000F001}9205244C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC47-6154-661A-02000000F001}9344C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\SHELL32.dll+171154(wow64)|C:\Windows\System32\SHELL32.dll+17102e(wow64)|C:\Windows\System32\SHELL32.dll+1ae34a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000014211828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.182{8B6011A9-BC47-6154-661A-02000000F001}9344C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Administrator\Desktop\6104039597178880\remcos.vbs" 734700x800000000000000014211827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.181{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000014211826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.181{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000014211825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.180{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000014211824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.180{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000014211823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.171{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXEMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62EtrueMicrosoft WindowsValid 734700x800000000000000014211821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.180{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000014211817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.179{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000014211812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.179{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000014211808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.178{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000014211804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.178{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000014211797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.178{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000014211794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.177{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000014211792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.176{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000014211791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.175{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 12241200x800000000000000014211790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.175{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000014211789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-09-29 19:19:35.175{8B6011A9-BC43-6154-631A-02000000F001}920C:\Windows\SYSWOW64\WSCRIPT.EXEHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000014211788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.175{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000014211786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.174{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000014211785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.174{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014211784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.173{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000014211783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.173{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000014211782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.172{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000014211780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.172{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000014211778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.171{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000014211777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.171{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000014211776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.168{8B6011A9-5DE3-6143-C106-00000000F001}4363712C:\Windows\system32\csrss.exe{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000014211775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.168{8B6011A9-BC43-6154-631A-02000000F001}92010188C:\Windows\SYSWOW64\WSCRIPT.EXE{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005230169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000009CA1F8) 154100x800000000000000014211774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-29 19:19:35.168{8B6011A9-BC47-6154-651A-02000000F001}6472C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Users\Administrator\Desktop\6104039597178880\ATTACKRANGE\Administr